Functions Descriptions

abbreviate

abbreviate(value: string, width: long)

Abbreviates a string using an ellipsis, the width defines the maximum length of the resulting string.

add_asset_categories

add_asset_categories(asset_name: string, categories: list)

Add a list of categories to an asset.

array_contains

array_contains (elements, value, [case-sensitive]): boolean

Checks if the specified element is contained in the array.

Example:

rule "array_contains"
when
    true
then
    set_field("contains_number", array_contains([1, 2, 3, 4, 5], 1));
    set_field("does_not_contain_number", array_contains([1, 2, 3, 4, 5], 7));
    set_field("contains_string", array_contains(["test", "test2"], "test"));
    set_field("contains_string_case_insensitive", array_contains(["test", "test2"], "TEST"));
    set_field("contains_string_case_sensitive", array_contains(["test", "test2"], "TEST", true));
end

                       

array_remove

array_remove (elements, value, [remove_all]) : list

Removes the specified element from the array.

rule "array_remove"

when

true

then

set_field("remove_number", array_remove([1, 2, 3], 2));

set_field("remove_string", array_remove(["one", "two", "three"], "two"));

set_field("remove_missing", array_remove([1, 2, 3], 4));

set_field("remove_only_one", array_remove([1, 2, 2], 2));

set_field("remove_all", array_remove([1, 2, 2], 2, true));

end

base16_decode

base16_decode (value, [omit_padding: boolean])

Base16 decoding of the string which returns lower-case letters.

Regular hexadecimal: 0-9 A-F 

base16_encode

base16_encode (value, [omit_padding: boolean])

Standard case- insensitive hex encoding using a 16-character subset.

Regular hexadecimal: 0-9 A-F 

base32_decode

base32_decode (value, [omit_padding: boolean])

Decodes a string using a 32-character subset.

 "Numerical" base 32; extended from the traditional hex alphabet: 0-9 A-V

base32_encode

base32_encode (value, [omit_padding: boolean])

Encodes a string using a 32-character subset.

"Numerical" base 32; extended from the traditional hex alphabet: 0-9 A-V

base32human_decode

base32human_decode (value, [omit_padding: boolean])

Decodes a string in human-readable format using a 32-character subset. 

"Readable" base 32; no possibility of confusing 0/O or 1/I: A-Z 2-7

base32human_encode

base32human_encode (value, [omit_padding: boolean])

Encodes a string in human-readable format using a 32-character subset.

"Readable" base 32; no possibility of confusing 0/O or 1/I: A-Z 2-7

base64_decode

base64_decode (value, [omit_padding: boolean]) 

Decodes a string using a 64-character subset. Regular base64 which allows both upper and lowercase letters. 

It does not need to be human readable.

base64_encode

base64_encode (value, [omit_padding: boolean])

Decodes a string using a 64-character subset. Regular base64 which allows both upper and lowercase letters. It does not need to be human readable.

base64url_decode

base64url_decode (value, [omit_padding: boolean])

URL-safe decoding of a string using a 64-character subset. Safe to use as filenames, or to pass in URLs without escaping.

base64url_encode

base64url_encode (value, [omit_padding: boolean])

URL-safe encoding of the string using a 64-character subset. Safe to use as filenames, or to pass in URLs without escaping.

capitalize

capitalize(value: string)

Capitalizes a string changing the first letter to title case.

cidr_match

cidr_match(cidr: string, ip: IpAddress)

Checks whether the given ip address object matches the cidr pattern.

See also:

• to_ip

clone_message

clone_message([message: Message])

Clones a message. If message is omitted, this function uses the currently processed message.

concat

concat(first: string, second: string)

Returns a new string combining the text of first and second.

Example:

// Build a message like:
// 'TCP connect from 88.99.35.172 to 192.168.1.10 Port 443'
let build_message_0 = concat(to_string($message.protocol), " connect from ");
let build_message_1 = concat(build_message_0, to_string($message.src_ip));
let build_message_2 = concat(build_message_1, " to ");
let build_message_3 = concat(build_message_2, to_string($message.dst_ip));
let build_message_4 = concat(build_message_3, " Port ");
let build_message_5 = concat(build_message_4, to_string($message.dst_port));
set_field("message", build_message_5);

contains

contains(value: string, search: string, [ignore_case: boolean])

Checks if value contains search, optionally ignoring the case of the search pattern.

Example:

// Check if the `example.org` is in the `hostname` field. Ignore case.
contains(to_string($message.hostname), "example.org", true)

crc32

crc32(value: string)

Creates the hex encoded CRC32 digest of the value.

crc32c

crc32c(value: string)

Creates the hex encoded CRC32C (RFC 3720, Section 12.1) digest of the value.

create_message

create_message([message: string], [source: string], [timestamp: DateTime])

Creates a new message with from the given parameters. If any of them is omitted, its value is taken from the corresponding fields of the currently processed message. If timestamp is omitted, the timestamp of the created message will be the timestamp at that moment.

csv_to_map

csv_to_map(value, fieldNames, [separator], [quoteChar], [escapeChar], [strictQuotes], [trimLeadingWhitespace], [ignoreExtraFieldNames])

Converts a single line of a CSV string into a map usable by set_fields().

days

days(value: long)

Create a time period with value number of days.

See also:

• is_period
• period

debug

debug(value: any)

Print any passed value as a string in the Graylog log.

Example:

// Print: "INFO : org.graylog.plugins.pipelineprocessor.ast.functions.Function - PIPELINE DEBUG: Dropped message from <source>"let debug_message = concat("Dropped message from ", to_string($message.source));
debug(debug_message);`

drop_message

drop_message(message: Message)

The processing pipeline will remove the given message after the rule is finished executing. This does not prevent later stages of the same pipeline from being applied to the message.

If message is omitted, this function uses the currently processed message.

This can be used to implement flexible blacklisting based on various conditions.

Example:

rule "drop messages over 16383 characters"
when    
    has_field("message") AND    
    regex(pattern: "^.{16383,}$", value: to_string($message.message)).matches == true
then   
    drop_message();    
    // added debug message to be notified about the dropped message    
    debug( concat("dropped oversized message from ", to_string($message.source)));
end

ends_with

ends_with(value: string, suffix: string, [ignore_case: boolean])

Checks if value ends with suffix, optionally ignoring the case of the string.

Example:

// Returns true
ends_with (  "Foobar Baz Quux" , "quux" , true  );
// Returns false 
ends_with (  "Foobar Baz Quux" , "Baz"  ); `

expand_syslog_priority

expand_syslog_priority(value: any)

Converts the syslog priority number in value to its numeric severity and facility values.

expand_syslog_priority_as_string

expand_syslog_priority_as_string(value: any)

Converts the syslog priority number in value to its severity and facility string representations.

first_non_null

first_non_null (value: list)

Returns first element found in the specified list, which is not null. Returns null for an empty list.

flatten_json

flatten_json(value, array_handler) : JsonNode

Parses the value string as a JSON tree while flattening all containers to a single level.  

Parsing of JSON arrays is determined by the array_handler parameter value.

Available options for array_handler are:

• ignore ignore all top-level arrays
• json return top-level arrays as valid JSON strings
• flatten explode all arrays and objects into top-level key/values

[stringify: boolean]:

The optional stringify flag determines whether values are returned as string or retain their original type. It defaults to false in Graylog 5.0.

flex_parse_date

flex_parse_date(value: string, [default: DateTime], [timezone: string])

Uses the Natty date parser to parse a date and time value. If no timezone is detected in the pattern, the optional timezone parameter is used as the assumed timezone. If omitted the timezone defaults to UTC.

In case the parser fails to detect a valid date and time the default date and time is being returned, otherwise the expression fails to evaluate and will be aborted.

See also:

• is_date

format_date

format_date(value: DateTime, format: string, [timezone: string])

Returns the given date and time value formatted according to the format string. If no timezone is given, it defaults to UTC. 

from_forwarder_input()

from_input(id: string | name: string)

Checks whether the currently processed message was received on the given forwarder input. The input can be looked up by either specifying its name (the comparison ignores the case) or the id.

from_input

from_input(id: string | name: string)

Checks whether the currently processed message was received on the given (non-forwarder) input. The input can be looked up by either specifying its name (the comparison ignores the case) or the id.

grok

grok(pattern: string, value: string, [only_named_captures: boolean])

Applies the grok pattern grok to value. Returns a match object, containing a map of field names and values. You can set only_named_captures to true to only return matches using named captures.

See also:

• set_fields

grok_exists

grok_exists (pattern:string, [log_missing:boolean])

Checks if the given Grok pattern exists.  log_missing determines whether a log message is generated 

when no matching pattern is found.   

has_field

has_field(field: string, [message: Message])

Checks whether the given message contains a field with the name field.

If message is omitted, this function uses the currently processed message.

hours

hours(value: long)

Create a time period with value number of hours.

is_boolean

is_boolean(value: any)

Checks whether the given value is a boolean value (true or false).

is_collection

is_collection(value: any)

Checks whether the given value is an iterable collection.

is_date

is_date(value: any)

Checks whether the given value is a date (of type DateTime).

See also:

• now
• parse_date
• flex_parse_date
• parse_unix_milliseconds

is_double

is_double(value: any)

Checks whether the given value is a floating point value (of type double).

See also:

• to_double

is_ip

is_ip(value: any)

Checks whether the given value is an IP address (IPv4 or IPv6).

See also:

• to_ip

is_json

is_json(value: any)

Checks whether the given value is a parsed JSON tree.

See also:

• parse_json

is_list

is_list(value: any)

Checks whether the given value is an iterable list.

is_long

is_long(value: any)

Checks whether the given value is an integer value (of type long).

See also:

• to_long

is_map

is_map(value: any)

Checks whether the given value is a map.

See also:

• to_map

is_not_null

is_not_null(value: any)

Checks if the given value is not null.

Example:

// Check if the `src_addr` field is not null.
// If not null, boolean true is returned. If null, boolean false is returned.
is_not_null(src_addr)

is_null

is_null(value: any)

Checks if the given value is null.

Example:

// Check if the `src_addr` field is null (empty).
// If null, boolean true is returned. If not null, boolean false is returned.
is_null(src_addr)

is_number

is_number(value: any)

Checks whether the given value is a numeric value (of type long or double).

See also:

• is_double
• to_double
• is_long
• to_long

is_period

is_period(value: any)

Checks whether the given value is a time period (of type Period).

See also:

• years
• months
• weeks
• days
• hours
• minutes
• seconds
• millis
• period

is_string

is_string(value: any)

Checks whether the given value is a string.

See also:

• to_string

is_url

is_url(value: any)

Checks whether the given value is a parsed URL.

See also:

• to_url

join

join (elements: list, [delimiter:string], [start:long], [end:long])

Joins the specified range of elements of the provided array into a single string.
Start index defaults to 0; end index defaults to the last element index of the list.
Delimiter: if specified, the elements are separated by the delimiter in the resulting string.

key_value

key_value ( 
value : string , 
[ delimiters : string ], 
[ kv_delimiters : string ],
[ ignore_empty_values : boolean ], 
[ allow_dup_keys : boolean ],
[ handle_dup_keys : string ], 
[ trim_key_chars : string ], 
[ trim_value_chars : string ] ) 

Extracts key-value pairs from the given valueand returns them as a map of field names and values. You can optionally specify:

delimiters
Characters used to separate pairs. We will use each character in the string, so you do not need to separate them. Default value: <[whitespace]>.

kv_delimiters
Characters used to separate keys from values. Again, there is no need to separate each character. Default value: =.

ignore_empty_values
Ignores keys containing empty values. Default value: true

allow_dup_keys
Indicates if duplicated keys are allowed. Default value: true.

handle_dup_keys
How to handle duplicated keys (if allow_dup_keysis set). It can take the values take_first, which will only use the first value for the key or take_last, which will only use the last value for the key. Setting this option to any other value will change the handling to concatenate, which will combine all values given to the key, separating them with the value set in this option. For example, setting handle_dup_keys: ",", would combine all values given to a key a, separating them with a comma, such as 1,2,foo. Default value: take_first.

trim_key_chars
Characters to trim (remove from the beginning and end) from keys. Default value: no trim.

trim_value_chars Characters to trim (remove from the beginning and end) from values. Default value: no trim.

See also:

• set_fields

length

length (value:string, [bytes: boolean])

Counts the characters in a string. If bytes=true, it counts the number of bytes instead (assumes UTF-8 encoding).

list_count

list_count(list:list) : Long

Gets number of elements in list.

list_get

list_get(list:list, index:long) : Object

Gets a value from a list.

lookup

lookup(lookup_table: string, key: any, [default: any])

Looks up a multi-value in the named lookup table.
Example:

rule "dst_ip geoip lookup"
when 
    has_field("dst_ip")
then  
    let geo = lookup("geoip-lookup", to_string($message.dst_ip));
    set_field("dst_ip_geolocation", geo["coordinates"]); 
    set_field("dst_ip_geo_country_code", geo["country"].iso_code); 
    set_field("dst_ip_geo_country_name", geo["country"].names.en); 
    set_field("dst_ip_geo_city_name", geo["city"].names.en);
 end

lookup_add_string_list

lookup_add_string_list(lookup_table, key, value,[keep_duplicates])

Add a string list in the named lookup table. Returns the updated list on success and returns null on failure.

lookup_all

lookup_all(lookup_table, keys) : list

Looks up all provided values in the named lookup table and returns all results as an array.

Example rule for a lookup table where key1=val1, key2=val2, key3=val3

rule "function lookup all"
when
    true
then
    let values = lookup_all("lut_name", ["key1", "key2", "key3"]);
    set_field("values", values); 
end

lookup_clear_key

lookup_clear_key(lookup_table, key)

Clears (removes) a key in the named lookup table.

lookup_has_value

lookup_has_value (lookup_table, key)

Determines whether a given key is present in a lookup table. Will return true if the key is present and false if the key is not present.

lookup_remove_string_list

lookup_remove_string_list(lookup_table, key, value)

Removes the entries of the given string list from the named lookup table. Returns the updated list on success and returns null on failure.

lookup_set_string_list

lookup_set_string_list(lookup_table:string, key:string, value:list)

Sets a string list in the named lookup table. Returns the new value on success and returns null on failure.

lookup_set_value

lookup_set_value(lookup_table, key, value)

Set a single value in the named lookup table. Returns the new value on success and returns null on failure.

lookup_string_list

lookup_string_list(lookup_table, key, [default])

Looks up a string list value in the named lookup table.

lookup_string_list_contains

lookup_string_list_contains (lookup_table, key, value)

Looks up a value in the string list referenced by the key in the named lookup table. 

Returns true only if the key/value mapping is present, otherwise it returns false.

lookup_value

lookup_value(lookup_table: string, key: any, [default: any])

Looks up a single value in the named lookup table.

Example:

lowercase

lowercase(value: string, [locale: string])

Converts a String to lower case. The locale (IETF BCP 47 language tag) defaults to “en”.

md5

md5(value: string)

Creates the hex encoded MD5 digest of the value.

metric_counter_inc

metric_counter_inc (name, [value]): Void

The counter metric name, will always be prefixed with 'org.graylog.rulemetrics.' 

The default value is 1 if no increment value is specified.

millis

millis(value: long)

Create a time period with valuenumber of milliseconds.

See also:

• is_period
• period

minutes

minutes(value: long)

Create a time period with valuenumber of minutes.

See also:

• is_period
• period

months

months(value: long)

Create a time period with valuenumber of months.

See also:

• is_period
• period

murmur3_128

murmur3_128(value: string)

Creates the hex encoded MurmurHash3 (128-bit) digest of the value.

murmur3_32

murmur3_32(value: string)

Creates the hex encoded MurmurHash3 (32-bit) digest of the value.

now

now([timezone: string])

Returns the current date and time. Uses the default time zone UTC.

See also:

• is_date

otx_lookup_domain

otx_lookup_domain (domain_name: string) : OTXLookupResult

Look up AlienVault OTX threat intelligence data for a domain name. Pipeline function otx_lookup_domain requires a configured lookup table named otx-api-domain.

rule "PARSE IP to DNS"
when
    has_field("source_ip")
    && regex(
        pattern: "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",
        value: to_string($message.source_ip)
        ).matches == true
then
    let rs = lookup_value("dns_lookups", to_string($message.source_ip));
    set_field("source_ip_dns", to_string(rs));
end

otx_lookup_ip

otx_lookup_ip (ip_address: string) : OTXLookupResult

Look up AlienVault OTX threat intelligence data for an IPv4 or IPv6 address. Requires a configured lookup table named otx-api-ip.

rule "PARSE source_ip - otx-api-ip"
when
    // validate message has a source_ip field
    has_field("source_ip")
    // validate that soruce IP is IPv4 format
    && regex(
        pattern: "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",
        value: to_string($message.source_ip)
        ).matches == true
then
    let rs = otx_lookup_ip(to_string($message.source_ip));
    set_fields(rs);
end

parse_date

parse_date(value: string, pattern: string, [locale: string], [timezone: string])

Parses the value into a date and time object, using the pattern. If no timezone is detected in the pattern, the optional timezone parameter is used as the assumed timezone. If omitted the timezone defaults to UTC.

The format used for the pattern parameter is identical to the pattern of the Joda-Time DateTimeFormat.

The format used for the localeparameter is a valid language tag according to IETF BCP 47 which can be parsed by the Locale#forLanguageTag(String) method.

Also see IANA Language Subtag Registry.

If no locale was specified, the locale of the system running Graylog (the default locale) is being used.

Examples:

See also:

• is_date

parse_json

parse_json(value: string)

Parses the value string as JSON, returning the resulting JSON tree.

See also:

• to_map

parse_unix_milliseconds

parse_unix_milliseconds(value: long)

Attempts to parse a UNIX millisecond timestamp (milliseconds since 1970-01-01T00:00:00.000Z) into a proper DateTimeobject.

Example:

// 1519902000000 == 2018 - 03 - 01 T12 : 00 : 00.000 Z
let timestamp = parse_unix_milliseconds ( 1519902000000 ); 
set_field ( "timestamp" , timestamp ); 

See also:

• is_date

period

period(value: string)

Parses an ISO 8601 time period from value. 

See also:

• is_period
• years
• months
• days
• hours
• minutes
• seconds
• millis

regex

regex(pattern: string, value: string, [group_names: array[string])

Match the regular expression in pattern against value. Returns a match object, with the boolean property matches to indicate whether the regular expression matched and, if requested, the matching groups as groups. The groups can optionally be named using the group_names array. If not named, the groups names are strings starting with "0".

regex_replace

regex_replace(pattern: string, value: string, replacement: string,[replace_all: boolean])

Match the regular expression in pattern against value and replace it, if matched, with replacement. You can use numbered capturing groups and reuse them in the replacement string. If replace_all is set to true, then all matches will be replaced, otherwise only the first match will be replaced.

Examples:

// message = 'logged in user: mike'
let username = regex_replace(".*user: (.*)", to_string($message.message), "$1");

// message = 'logged in user: mike'
let string = regex_replace("logged (in|out) user: (.*)", to_string($message.message), "User $2 is now logged $1");`

remove_field (Legacy)

remove_field(field: string, [message: Message])

Removes the given field with the name field from the given message, unless the field is reserved.

If message is omitted, this function uses the currently processed message.

remove_from_stream

remove_from_stream(id: string | name: string, [message: Message])

Removes the message from the given stream. The stream can be looked up by either specifying its name or the id.

If messageis omitted, this function uses the currently processed message.

If the message ends up being on no stream anymore, it is implicitly routed back to the default stream “All messages”. This ensures that you the message is not accidentally lost due to complex stream routing rules. If you want to discard the message entirely, use the drop_message function.

remove_multiple_fields

remove_multiple_fields ([pattern: string],[names: list],[message: Message])

Removes fields matching a regular expression (regex) pattern and/or list of names, unless the field name is reserved.

remove_single_field

remove_single_field (field: string, [message: Message])

Removes a single field from a message, unless the field name is reserved.

rename_field

rename_field(old_field: string, new_field: string, [message: Message])

Modifies the field name old_field to new_field in the given message, keeping the field value unchanged. 

replace

replace(value: string, search: string, [replacement: string], [max: long])

Replaces the first max or all occurences of a string within another string. max is -1 per defaults which means to replace all occurrences, 1 only the first one, 2 the first two, and so on.

Example:

// Correct misspelled message "foo rooft oota"
let new_field = replace(to_string($message.message), "oo", "u");    // "fu ruft uta"
let new_field = replace(to_string($message.message), "oo", "u", 1); // "fu rooft oota"

route_to_stream

route_to_stream(id: string | name: string, [message: Message], [remove_from_default: boolean])

Sets a stream assignment of the message to the given stream. Functions as 'copy' and does not remove the message from the current stream.

If message is omitted, this function uses the currently processed message.This causes the message to be evaluated on the pipelines connected to that stream, unless the stream has already been processed for this message.

If remove_from_default is true, the message is also removed from the default stream “All messages”.remove_from_defaultwill take effect after the current pipeline has finished resolving. This rule does not prevent later stages of the pipeline from being applied to the message.

The stream can be looked up by either specifying its name or the id.

Example:

// Route the current processed message to a stream with ID `512bad1a535b43bd6f3f5e86` (preferred method)
route_to_stream(id: "512bad1a535b43bd6f3f5e86");

// Route the current processed message to a stream named `Custom Stream`
route_to_stream(name: "Custom Stream");

seconds

seconds(value: long)

Create a time period with value number of seconds.

See also:

• is_period
• period

select_jsonpath

select_jsonpath(json: JsonNode, paths: Map<string, string>)

Evaluates the given paths against the json tree and returns the map of the resulting values.

See also:

• is_json
• parse_json

set_field

set_field(field: string, value: any, [prefix: string], [suffix: string], [message: Message], [default: any, [clean_field: boolean])

Sets the given field named field to the new value. The field name must be valid, and specifically cannot include a period character. It is trimmed of leading and trailing whitespace. String values are trimmed of whitespace as well.

The optional prefix and suffix parameters specify which prefix or suffix should be added to the inserted field name. The optional clean_field parameter replaces invalid field name characters with underscores.

If message is omitted, this function uses the currently processed message. 

default: use this when no value is available (it is null or throws an exception).

See also:

• set_fields

set_fields

set_fields(fields: Map<string, any>, [prefix: string], [suffix: string], [message: Message], [clean_fields: boolean)

Sets all of the given name-value pairs in field in the given message. This is a convenience function acting like set_field. It can be helpful for using the result of a function like select_jsonpath or regex in the currently processed message especially when the key names are the result of a regular expression.

The optional prefix and suffix parameters specify which prefix or suffix should be added to the inserted field names.The optional clean_fields parameter replaces invalid field name characters with underscores.

If message is omitted, this function uses the currently processed message.

See also:

• set_field
• to_map
• grok
• key_value

sha1

sha1(value: string)

Creates the hex encoded SHA1 digest of the value.

sha256

sha256(value: string)

Creates the hex encoded SHA256 digest of the value.

sha512

sha512(value: string)

Creates the hex encoded SHA512 digest of the value.

split

split(pattern: string, value: string, [limit: int])

Split a value around matches of pattern. Use limit to indicate the number of times the pattern should be applied.

starts_with

starts_with(value: string, prefix: string, [ignore_case: boolean])

Checks if value starts with prefix, optionally ignoring the case of the string.

Example:

// Returns true starts_with ( "Foobar Baz Quux" , "foo" , true ); // Returns false starts_with ( "Foobar Baz Quux" , "Quux" ); 

string_array_add

string_array_add(elements, value, [only_unique]) : list

Adds the specified string (or string array) value to the supplied string array. Casts the input array and value/value array to strings.

Example rule:

rule "string_array_add"
when
           true
then
	set_field("add_number_to_string_array_converted", string_array_add(["1", "2"], 3));
	set_field("add_number_array_to_string_array_converted", string_array_add(["1", "2"], [3, 4]));
	set_field("add_string", string_array_add(["one", "two"], "three"));
	set_field("add_string_again", string_array_add(["one", "two"], "two"));
	set_field("add_string_again_unique", string_array_add(["one", "two"], "two", true));
	set_field("add_array_to_array", string_array_add(["one", "two"], ["three", "four"]));
end

string_entropy

string_entropy (value: string, [default: double])

Computes Shannon's entropy of the character distribution in the given string.

substring

substring(value: string, start: long, [end: long])

Returns a substring of value starting at the start offset (zero based indices), optionally ending at the end offset. Both offsets can be negative, indicating positions relative to the end of value.

Example:

//This example splits the message into two parts. The first part is the timestamp and the other is the remaining messages. The source name is added between the two parts. rule "Merge source name in splitting of message" when true then let first = substring(to_string($message.message), 0, 20);

// The substring adjusted according to timestamp from start of the message let second = to_string(to_string($message.source)); let last = substring(to_string($message.message), 22); 

// The substring number menstion is starting number and default one until end of the message line let full_message = first +" "+ second +" "+ last; 

// Customised full message with timestamp + Source_Name + Remaining message set_field("message", full_message); end

Message field:

Before:

<182>Apr 25 16:31:11 msd: CLI, SessionID:"XXXXX", Start:"16:31:10", End:"16:31:11", User:"ad_admin", Group:"ad_operator", Command:"show system services"

After:

<182>Apr 25 16:31:11 MYSOURCE msd: CLI, SessionID:"XXXXX", Start:"16:31:10", End:"16:31:11", User:"ad_admin", Group:"ad_operator", Command:"show system services"

swapcase

swapcase(value: string)

Swaps the case of a String changing upper and title case to lower case, and lower case to upper case.

syslog_facility

syslog_facility(value: any)

Converts the syslog facility number in value to its string representation.

syslog_level

syslog_level(value: any)

Converts the syslog severity number in value to its string representation.

to_bool

to_bool(value: any)

Converts the single parameter to a boolean value using its string value.

to_date

to_date(value: any, [timezone: string])

Converts value to a date. If no timezone is given, it defaults to UTC.

See also:

• is_date

to_double

to_double(value: any, [default: double])

Converts the first parameter to a double floating point value.

to_ip

to_ip(ip: string)

Converts the given ipstring to an IpAddress object.

See also:

• cidr_match

to_long

to_long(value: any, [default: long])

Converts the first parameter to a long integer value.

to_map

to_map(value: any)

Converts the given map-like value to a valid map.

The to_map() function currently only supports converting a parsed JSON tree into a map so that it can be used together with set_fields.

Example:

let json = parse_json(to_string($message.json_payload));
let map = to_map(json);
set_fields(map);

See also:

• set_fields
• parse_json

to_string

to_string(value: any, [default: string])

Converts the first parameter to its string representation.

to_url

to_url(url: any, [default: string])

Converts the given url to a valid URL.

traffic_accounting_size

traffic_accounting_size [(message)]: long

Calculates the size of the entire message, including all extra fields.

This is also the value used to determine how much the message counts toward license usage.

Example rule:

set_field(
    field: "license_usage",
    value: traffic_accounting_size() // size in bytes
    //value: traffic_accounting_size() / 1024 // size in kb
    );

uncapitalize

uncapitalize(value: string)

Uncapitalizes a String changing the first letter to lower case.

uppercase

uppercase(value: string, [locale: string])

Converts a String to upper case. The locale (IETF BCP 47 language tag) defaults to “en”.

urldecode

url decode (value:string, [charset:string])

Decodes an application/x-www-form-urlencoded string using a specific encoding scheme. Valid charsets are e.g. UTF-8, US-ASCII, etc. Default is UTF-8.

urlencode

url encode (value, [charset])

Translates a string into application/x-www-form-urlencoded format using a specific encoding scheme.

weeks

weeks(value: long)

Create a time period with value number of weeks.

See also:

• is_period
• period

years

years(value: long)

Create a time period with value number of years.

See also:

• is_period
• period