The following lists describe built-in Graylog functions by category. The lists are in alphabetical order.
Boolean
Boolean data is primarily associated with conditional statements, which allow different actions by changing control flow depending on whether a condition evaluates to true or false. Boolean functions determine Boolean values or operators.
| grok_exists
|
Checks if the given Grok pattern exists. |
| is_boolean
|
Checks whether a value is a boolean value (true or false). |
| is_collection
|
Checks whether a value is an iterable collection. |
| is_date
|
Checks whether a value is a date (of type DateTime). |
| is_double
|
Checks whether a value is a floating point value (of type double). |
| is_ip
|
Checks whether a value is an IP address (IPv4 or IPv6). |
| is_json
|
Checks whether a value is a parsed JSON tree. |
| is_list
|
Checks whether a value is an iterable list. |
| is_long
|
Checks whether a value is an integer value (of type long). |
| is_map
|
Checks whether a value is a map. |
| is_not_null
|
Checks whether a value is not null. |
| is_null
|
Checks whether a value is null. |
| is_number
|
Checks whether a value is a numeric value (of type long or double). |
| is_period
|
Checks whether a value is a time period (of type Period). |
| is_string
|
Checks whether a value is a string. |
| is_url
|
Checks whether a value is a parsed URL. |
| key_value
|
Extracts key/value pairs from a string. |
| lookup_string_list_contains
|
Looks up a value in the string list referenced by the key in the named lookup table. |
Boolean/Message Function
| cidr_match
|
Checks whether the given IP matches a CIDR pattern. |
| has_field
|
Checks whether the currently processed message contains the named field. |
Conversion
These are used to convert a value from one format to another.
| expand_syslog_priority
|
Converts a syslog priority number to its level and facility. |
| expand_syslog_priority_as_string
|
Converts a syslog priority number to its level and facility string representations. |
| syslog_facility
|
Converts a syslog facility number to its string representation. |
| syslog_level
|
Converts a syslog level number to its string representation. |
| to_bool
|
Converts the single parameter to a boolean value using its string value. |
| to_date
|
Converts a type to a date. |
| to_double
|
Converts the first parameter to a double floating point value. |
| to_ip
|
Converts the given string to an IP object. |
| to_long
|
Converts the first parameter to a long integer value. |
| to_map
|
Converts a value to a map. |
| to_string
|
Converts the first parameter to its string representation. |
| to_url
|
Converts a value to a valid URL using its string representation. |
Date/Time
A DateTime function performs an action or calculation on a date and time value.
| days
|
Create a period with a specified number of days. |
| flex_parse_date
|
Attempts to parse a date and time using the Natty date parser. |
| format_date
|
Formats a date and time according to a given formatter pattern. |
| millis
|
Can return either the Unix epoch value or the duration in milliseconds. |
| minutes
|
Creates a period with a specified number of minutes. |
| months
|
Creates a period with a specified number of months. |
| seconds
|
Creates a period with a specified number of seconds. |
| now
|
Returns the current date and time. |
| parse_date
|
Parses a date and time from the given string, according to a strict pattern. |
| parse_unix_milliseconds
|
Attempts to parse a UNIX millisecond timestamp (milliseconds since 1970-01-01T00:00:00.000Z). |
| period
|
Parses an ISO 8601 period from the specified string. |
| weeks
|
Creates a period with a specified number of weeks. |
| years
|
Creates a period with a specified number of years. |
| hours
|
Create a period with a specified number of hours. |
Debug
These functions are used to determine the state of your program at any point of execution.
| metric_counter_inc
|
The counter metric name, will always be prefixed with 'org.graylog.rulemetrics.' |
| debug
|
Print the passed value as a string in the Graylog log. |
Encoding
Encoding functions enable you to decode and convert strings.
| murmur3_128
|
Returns the hex encoded MurmurHash3 (128-bit) digest of the given string. |
| murmur3_32
|
Returns the hex encoded MurmurHash3 (32-bit) digest of the given string. |
| sha1
|
Returns the hex encoded SHA1 digest of the given string. |
| sha256
|
Returns the hex encoded SHA256 digest of the given string. |
| sha512
|
Returns the hex encoded SHA512 digest of the given string. |
List
These functions create a collection that can be manipulated for your analysis.
Lookups
Lookup functions enable you to search a database for a value, then return other information from the same record.
Map
Map functions apply a given function to each element of a collection.
| select_jsonpath
|
Selects one or more named JSON Path expressions from a JSON tree. |
Message Handling
These functions define what is to be done in response to a message.
| clone_message
|
Clones a message. |
| create_message
|
Creates a new message which will be evaluated by the entire processing pipeline. |
| drop_message
|
This currently processed message will be removed from the processing pipeline after the rule finishes. |
| from_input
|
Checks whether the current message was received by the given input. |
| remove_field
|
Removes the named field from the currently processed message. |
| remove_from_stream
|
Removes the current message from the specified stream. |
| rename_field
|
Renames a message field. |
| route_to_stream
|
Assigns the current message to the specified stream. |
| set_field
|
Sets the name field to the given value in the currently processed message. |
| set_fields
|
Sets multiple fields to the given values in the currently processed message. |
| traffic_accounting_size
|
Calculates the current size of the message as used by the traffic accounting system. |
Pattern Matching
Specify patterns to which some data should conform and deconstructs the data according to those patterns.
| grok
|
Applies a Grok pattern to a string. |
| regex
|
Matches a regular expression against a string, with matcher groups. |
| regex_replace
|
Matches a regular expression against a string and replace with string. |
String Functions
These functions are used to manipulate a string or query information about a string.
| abbreviate
|
Abbreviates a String using ellipses. |
| base16_decode
|
base16 decoding of the string. |
| base16_encode
|
base16 encoding of the string. |
| base32_decode
|
base32 decoding of the string. |
| base32_encode
|
base32 encoding of the string. |
| base32human_decode
|
base32 (human-friendly) decoding of the string. |
| base32human_encode
|
base32 (human-friendly) encoding of the string. |
| base64_decode
|
base64 decoding of the string. |
| base64_encode
|
base64 encoding of the string. |
| base64url_decode
|
base64 (URL-safe) decoding of the string. |
| base64url_encode
|
base64 (URL-safe) encoding of the string. |
| capitalize
|
Capitalizes a String changing the first letter to title case. |
| concat
|
Concatenates two strings. |
| contains
|
Checks if a string contains another string. |
| ends_with
|
Checks if a string ends with a given suffix. |
| flatten_json
|
Parses a string as a JSON tree while flattening all containers to a single level. |
| join
|
Joins the elements of the provided array into a single String. |
| lowercase
|
Converts a String to lower case. |
| length
|
Counts the characters or bytes in a string. |
| md5
|
Returns the hex encoded MD5 digest of the given string. |
| split
|
Splits a string around matches of this pattern (Java syntax). |
| starts_with
|
Checks if a string starts with a given prefix. |
| substring
|
Returns a substring of value with the given start and end offsets. |
| swapcase
|
Swaps the case of a String. |
| parse_json
|
Parses a string into a JSON tree. |
| replace
|
Replaces the first “max” or all occurrences of a string within another string. |
| uncapitalize
|
Uncapitalizes a String changing the first letter to lower case. |
| uppercase
|
Converts a String to upper case. |
| urldecode
|
Decodes a application/x-www-form-urlencoded string using a specific encoding scheme. |
| urlencode
|
Translates a string into application/x-www-form-urlencoded format using a specific encoding scheme. |
String Function/Encoding
| crc32
|
Returns the hex encoded CRC32 digest of the given string. |
| crc32c
|
Returns the hex encoded CRC32C (RFC 3720, Section 12.1) digest of the given string. |
