Functions Index
The following list describes the built-in functions that ship with Graylog. Additional third-party functions are available via plugins in the marketplace.
| Built-in Function | Description |
|---|---|
| abbreviate | Abbreviates a string using ellipses. |
|
Adds a list of categories to an asset. |
|
|
Checks if the specified element is contained in the array. |
|
|
Removes the specified element from the array. |
|
| base16_decode | Base16 decoding of the string which returns lower-case letters. |
| base16_encode | Standard case- insensitive hex encoding using a 16-character subset. |
| base32_decode | Decodes a string using a 32-character subset. |
| base32_encode | Encodes a string using a 32-character subset. |
| base32human_decode | Decodes a string in human-readable format using a 32-character subset. |
| base32human_encode | Encodes a string in human-readable format using a 32-character subset. |
| base64_decode | Decodes a string using a 64-character subset. |
| base64_encode | Decodes a string using a 64-character subset. |
| base64url_decode | URL-safe decoding of a string using a 64-character subset. |
| base64url_encode | URL-safe encoding of the string using a 64-character subset. |
| capitalize | Capitalizes a string changing the first letter to title case. |
| cidr_match | Checks whether the given IP matches a CIDR pattern. |
| clone_message | Clones a message. |
| concat | Concatenates two strings. |
| contains | Checks if a string contains another string. |
| crc32 | Returns the hex encoded CRC32 digest of the given string. |
| crc32c | Returns the hex encoded CRC32C (RFC 3720, Section 12.1) digest of the given string. |
| create_message | Creates a new message which will be evaluated by the entire processing pipeline. |
| days | Creates a period with a specified number of days. |
| debug | Prints the passed value as a string in the Graylog log. |
| drop_message | This currently processed message will be removed from the processing pipeline after the rule finishes. |
| ends_with | Checks if a string ends with a given suffix. |
| expand_syslog_priority | Converts a syslog priority number to its level and facility. |
| expand_syslog_priority_as_string | Converts a syslog priority number to its level and facility string representations. |
| first_non_null | Returns first non null element found in value. |
| flatten_json | Parses a string as a JSON tree while flattening all containers to a single level. |
| flex_parse_date | Attempts to parse a date and time using the Natty date parser. |
| format_date | Formats a date and time according to a given formatter pattern. |
|
Checks whether the current message was received by the given forwarder input. |
|
| from_input | Checks whether the current message was received by the given (non-forwarder) input. |
| grok | Applies a Grok pattern to a string. |
| grok_exists | Checks if the given Grok pattern exists. |
| has_field | Checks whether the currently processed message contains the named field. |
| hours | Creates a period with a specified number of hours. |
| is_boolean | Checks whether a value is a boolean value (true or false). |
| is_collection | Checks whether a value is an iterable collection. |
| is_date | Checks whether a value is a date (of type DateTime). |
| is_double | Checks whether a value is a floating point value (of type double). |
| is_ip | Checks whether a value is an IP address (IPv4 or IPv6). |
| is_json | Checks whether a value is a parsed JSON tree. |
| is_list | Checks whether a value is an iterable list. |
| is_long | Checks whether a value is an integer value (of type long). |
| is_map | Checks whether a value is a map. |
| is_not_null | Checks whether a value is not null. |
| is_null | Checks whether a value is null. |
| is_number | Checks whether a value is a numeric value (of type long or double). |
| is_period | Checks whether a value is a time period (of type Period). |
| is_string | Checks whether a value is a string. |
| is_url | Checks whether a value is a parsed URL. |
| join | Joins the elements of the provided array into a single String. |
| key_value | Extracts key/value pairs from a string. |
| length | Counts the characters or bytes in a string. |
|
Gets number of elements in list. |
|
|
Gets a value from a list. |
|
| lookup | Looks up a multi value in the named lookup table. |
| lookup_add_string_list | Lookup table manipulation. |
|
Looks up all provided values in the named lookup table, and returns all results as an array. |
|
| lookup_clear_key | Lookup table manipulation. |
|
Lookup table manipulation. |
|
| lookup_remove_string_list | Lookup table manipulation. |
| lookup_set_string_list | Lookup table manipulation. |
| lookup_set_value | Lookup table manipulation. |
| lookup_string_list | Lookup table manipulation. |
| lookup_string_list_contains | Looks up a value in the string list referenced by the key in the named lookup table. |
| lookup_value | Looks up a single value in the named lookup table. |
| lowercase | Converts a string to lower case. |
| md5 | Returns the hex encoded MD5 digest of the given string. |
| metric_counter_inc | The counter metric name, will always be prefixed with 'org.graylog.rulemetrics.' |
| millis | Creates a period with a specified number of milliseconds. |
| minutes | Creates a period with a specified number of minutes. |
| months | Creates a period with a specified number of months. |
| murmur3_128 | Returns the hex encoded MurmurHash3 (128-bit) digest of the given string. |
| murmur3_32 | Returns the hex encoded MurmurHash3 (32-bit) digest of the given string. |
| now | Returns the current date and time. |
|
Look up AlienVault OTX threat intelligence data for a domain name. Pipeline function otx_lookup_domain requires a configured lookup table named |
|
|
Look up AlienVault OTX threat intelligence data for an IPv4 or IPv6 address. Requires a configured lookup table named otx-api-ip. |
|
| parse_date | Parses a date and time from the given string according to a strict pattern. |
| parse_json | Parses a string into a JSON tree. |
| parse_unix_milliseconds | Attempts to parse a UNIX millisecond timestamp (milliseconds since 1970-01-01T00:00:00.000Z). |
| period | Parses an ISO 8601 period from the specified string. |
| regex | Matches a regular expression against a string with matcher groups. |
| regex_replace | Matches a regular expression against a string and replace with string. |
| remove_field (legacy) | Removes the named field from the currently processed message. |
| remove_from_stream | Removes the current message from the specified stream. |
|
Removes fields matching a regex pattern and/or list of names, unless the field name is reserved. |
|
|
Removes a single field from message, unless the field name is reserved. |
|
| rename_field | Renames a message field. |
| replace | Replaces the first “max” or all occurrences of a string within another string |
| route_to_stream | Assigns the current message to the specified stream. |
| seconds | Creates a period with a specified number of seconds. |
| select_jsonpath | Selects one or more named JSON Path expressions from a JSON tree. |
| set_field | Sets the name field to the given value in the currently processed message. |
| set_fields | Sets multiple fields to the given values in the currently processed message. |
| sha1 | Returns the hex encoded SHA1 digest of the given string. |
| sha256 | Returns the hex encoded SHA256 digest of the given string. |
| sha512 | Returns the hex encoded SHA512 digest of the given string. |
| split | Splits a string around matches of this pattern (Java syntax). |
| starts_with | Checks if a string starts with a given prefix. |
|
Adds the specified string (or string array) value to the supplied string array. Casts the input array and value/value array to strings. |
|
|
Computes Shannon's entropy of the character distribution in the given string. |
|
| substring | Returns a substring of value with the given start and end offsets. |
| swapcase | Swaps the case of a string. |
| syslog_facility | Converts a syslog facility number to its string representation. |
| syslog_level | Converts a syslog level number to its string representation. |
| to_bool | Converts the single parameter to a boolean value using its string value. |
| to_date | Converts a type to a date. |
| to_double | Converts the first parameter to a double floating point value. |
| to_ip | Converts the given string to an IP object. |
| to_long | Converts the first parameter to a long integer value. |
| to_map | Converts a value to a map. |
| to_string | Converts the first parameter to its string representation. |
| to_url | Converts a value to a valid URL using its string representation. |
| traffic_accounting_size | Calculates the current size of the message as used by the traffic accounting system. |
| uncapitalize | Uncapitalizes a string changing the first letter to lower case. |
| uppercase | Converts a string to upper case. |
| urldecode | Decodes an application/x-www-form-urlencoded string using a specific encoding scheme. |
| urlencode | Translates a string into application/x-www-form-urlencoded format using a specific encoding scheme. |
| weeks | Creates a period with a specified number of weeks. |
| years | Creates a period with a specified number of years. |
