Functions Reference
The following list describes the built-in functions that ship with Graylog.
Function | Category | Description | Syntax |
---|---|---|---|
abbreviate | String | Abbreviates a string using ellipses. The width defines the maximum length of the resulting string. | abbreviate(value: string, width: long)
|
abusech_ransom_lookup_domain | String | Matches a domain name against the abuse.ch Ransomware Domain Blocklist RW_DOMBL . |
abusech_ransom_lookup_domain(domain_name) : GenericLookupResult
|
abusech_ransom_lookup_ip | String | Matches a IPv4 or IPv6 address against the abuse.ch Ransomware Domain Blocklist RW_DOMBL . |
abusech_ransom_lookup_ip(ip_address) : GenericLookupResult
|
add_asset_categories | Asset Enrichment | Adds a list of categories to an asset. | add_asset_categories(asset_name: string, categories: list)
|
Anonymization |
Anonymizes an IP address by setting the last octet to 0 . |
anonymize_ip(ip) : IpAddress
|
|
array_contains | Message Handling |
Checks if the specified element is contained in the array. |
array_contains (elements, value, [case-sensitive]): boolean
|
array_remove | Message Handling |
Removes the specified element from the array. |
array_remove (elements, value, [remove_all]) : list
|
base16_decode | String | Provides base16 decoding of the string that returns lower-case letters. It requires regular hexadecimals, 0-9 A-F. | base16_decode (value, [omit_padding: boolean])
|
base16_encode | String | Provides standard case-insensitive hexadecimal encoding using a 16-character subset. It requires regular hexadecimals, 0-9 A-F. | base16_encode (value, [omit_padding: boolean])
|
base32_decode | String | Decodes a string using a 32-character subset. Uses the "numerical" base 32 and is extended from the traditional hexadecimal alphabet, 0-9 A-V. | base32_decode (value, [omit_padding: boolean])
|
base32_encode | String | Encodes a string using a 32-character subset. Uses the "numerical" base 32 and is extended from the traditional hexadecimal alphabet, 0-9 A-V. | base32_encode (value, [omit_padding: boolean])
|
base32human_decode | String | Decodes a string in human-readable format using a 32-character subset. It is a "readable" base 32, so there is no possibility of confusing 0/O or 1/I, A-Z 2-7. | base32human_decode (value, [omit_padding: boolean])
|
base32human_encode | String | Encodes a string in human-readable format using a 32-character subset. It is a "readable" base 32, so there is no possibility of confusing 0/O or 1/I, A-Z 2-7. | base32human_encode (value, [omit_padding: boolean])
|
base64_decode | String | Decodes a string using a 64-character subset. Regular base64 allows both upper and lowercase letters. It does not need to be human readable. | base64_decode (value, [omit_padding: boolean])
|
base64_encode | String | Decodes a string using a 64-character subset. Regular base64 allows both upper and lowercase letters. It does not need to be human readable. | base64_encode (value, [omit_padding: boolean])
|
base64url_decode | String | Provides URL-safe decoding of a string using a 64-character subset. It is safe to use as file names or to pass in URLs without escaping. | base64url_decode (value, [omit_padding: boolean])
|
base64url_encode | String | Provides URL-safe encoding of the string using a 64-character subset. It is safe to use as file names or to pass in URLs without escaping. | base64url_encode (value, [omit_padding: boolean])
|
capitalize | String | Capitalizes a string, changing the first letter to title case. | capitalize(value: string)
|
cidr_match | Boolean/Message Function |
Checks whether the given IP address object matches the cidr pattern. See also: to_ip |
cidr_match(cidr: string, ip: IpAddress)
|
clone_message | Message Handling | Clones a message. If message is omitted, this function uses the currently processed message. |
clone_message([message: Message])
|
concat | String |
Returns a new string combining the text of |
concat(first: string, second: string)
|
contains | String |
Checks if a string contains another string. It ignores the case. |
contains(value: string, search: string, [ignore_case: boolean])
|
crc32 | String Function/Encoding | Returns the hex-encoded CRC32 digest of the given string. | crc32(value: string)
|
crc32c | String Function/Encoding | Returns the hex-encoded CRC32C (RFC 3720, Section 12.1) digest of the given string. | crc32c(value: string)
|
create_message | Message Handling | Creates a new message from the given parameters. If any of these parameters is omitted, their value is taken from the corresponding fields of the currently processed message. If timestamp is omitted, the timestamp of the created message will be the timestamp at that moment in time. |
create_message([message: string], [source: string], [timestamp: DateTime])
|
csv_to_map | Conversion |
Converts a single line of a CSV string into a map usable by See also: set_fields |
csv_to_map(value, fieldNames, [separator], [quoteChar], [escapeChar], [strictQuotes], [trimLeadingWhitespace], [ignoreExtraFieldNames])
|
days | Date/Time |
Creates a time period with |
days(value: long)
|
debug | Debug |
Prints the passed value as a string in the Graylog log. Note that the debug message will only appear in the log of the Graylog node processing the message you are trying to debug. |
debug(value: any)
|
drop_message | Message Handling |
Removes the given |
drop_message(message: Message)
|
ends_with | String |
Checks if |
ends_with(value: string, suffix: string, [ignore_case: boolean])
|
expand_syslog_priority | Conversion | Converts a syslog priority number to its level and facility. | expand_syslog_priority(value: any)
|
expand_syslog_priority_as_string | Conversion | Converts the syslog priority number in value to its severity and facility string representations. | expand_syslog_priority_as_string(value: any)
|
first_non_null | List | Returns first element found in the specified list that is not null . Returns null for an empty list. |
first_non_null (value: list)
|
flatten_json | String |
Parses the
|
flatten_json(value, array_handler) : JsonNode
|
flex_parse_date | Date/Time |
Uses the Natty date parser to parse a date and time See also: is_date |
flex_parse_date(value: string, [default: DateTime], [timezone: string])
|
format_date | Date/Time | Returns the given date and time value formatted according to the format string. If no timezone is given, it defaults to UTC . |
format_date(value: DateTime, format: string, [timezone: string])
|
from_forwarder_input | Message Handling | Checks whether the currently processed message was received on the given forwarder input. The input can be looked up by either specifying its name (the comparison ignores the case) or the id . |
from_forwarder_input(id: string | name: string)
|
from_input | Message Handling | Checks whether the currently processed message was received on the given (non-forwarder) input. The input can be looked up by either specifying its name (the comparison ignores the case) or the id . |
from_input(id: string | name: string)
|
Message Handling |
Retrieves the |
|
|
grok | Pattern Matching |
Applies the grok pattern See also: set_fields |
grok(pattern: string, value: string, [only_named_captures: boolean])
|
grok_exists | Boolean | Checks if the given Grok pattern exists. log_missing determines whether a log message is generated when no matching pattern is found. |
grok_exists (pattern:string, [log_missing:boolean])
|
has_field | Boolean/Message Function | Checks whether the given message contains a field with the name field . If message is omitted, this function uses the currently processed message. |
has_field(field: string, [message: Message])
|
hours | Date/Time | Creates a time period with value number of hours. |
hours(value: long)
|
Message Handling |
Checks if an IP address is in a private network as defined in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or RFC 4193 (fc00::/7). |
|
|
is_bool | Boolean | Checks whether the given value is a Boolean value (true or false ). |
is_bool(value: any)
|
is_collection | Boolean | Checks whether the given value is an iterable collection. |
is_collection(value: any)
|
is_date | Boolean |
Checks whether the given See also: now, parse_date, flex_parse_date, parse_unix_milliseconds |
is_date(value: any)
|
is_double | Boolean |
Checks whether the given See also: to_double |
is_double(value: any)
|
is_ip | Boolean |
Checks whether the given See also: to_ip |
is_ip(value: any)
|
is_json | Boolean |
Checks whether the given See also: parse_json |
is_json(value: any)
|
is_list | Boolean | Checks whether a value is an iterable list. |
is_list(value: any)
|
is_long | Boolean |
Checks whether a See also: to_long |
is_long(value: any)
|
is_map | Boolean |
Checks whether the given See also: to_map |
is_map(value: any)
|
is_not_null | Boolean |
Checks whether a |
is_not_null(value: any)
|
is_null | Boolean |
Checks whether a |
is_null(value: any)
|
is_number | Boolean |
Checks whether the given |
is_number(value: any)
|
is_period | Boolean |
Checks whether the given See also: years, months, weeks, days, hours, minutes, seconds, millis, period |
is_period(value: any)
|
is_string | Boolean |
Checks whether a See also: to_string |
is_string(value: any)
|
is_url | Boolean |
Checks whether the given See also: to_url |
is_url(value: any)
|
join | String | Joins the specified range of elements of the provided array into a single string. Start index defaults to 0 , and end index defaults to the last element index of the list. If specified, the elements are separated by the delimiter in the resulting string. |
join (elements: list, [delimiter:string], [start:long], [end:long])
|
key_value | Boolean |
Extracts key-value pairs from the given
Also note the result of executing the See also: set_fields |
key_value (
value : string ,
[ delimiters : string ],
[ kv_delimiters : string ],
[ ignore_empty_values : boolean ],
[ allow_dup_keys : boolean ],
[ handle_dup_keys : string ],
[ trim_key_chars : string ],
[ trim_value_chars : string ] )
|
length | String | Counts the characters in a string. If bytes=true, it counts the number of bytes instead (assumes UTF-8 encoding). | length (value:string, [bytes: boolean])
|
list_count | List | Gets number of elements in list. | list_count(list:list) : Long
|
list_get | List | Gets a value from a list. | list_get(list:list, index:long) : Object
|
lookup | Lookup |
Looks up a multi value in the named lookup table. |
lookup(lookup_table: string, key: any, [default: any])
|
lookup_add_string_list | Lookup | Adds a string list in the named lookup table and returns the updated list on success or returns null on failure. This function only supports the MongoDB Lookup Table at the time of writing. |
lookup_add_string_list(lookup_table, key, value,[keep_duplicates])
|
lookup_all | Lookup |
Looks up all provided values in the named lookup table and returns all results as an array. |
lookup_all(lookup_table, keys) : list
|
Lookup |
Add a time to live to the key in the named lookup table. Returns the updated entry on success and |
|
|
lookup_clear_key | Lookup | Clears (removes) a key in the named lookup table. This function only supports the MongoDB Lookup Table at the time of writing. | lookup_clear_key(lookup_table, key)
|
lookup_has_value | Lookup | Determines whether a given key is present in a lookup table. Will return true if the key is present and false if the key is not present. |
lookup_has_value (lookup_table, key)
|
lookup_remove_string_list | Lookup | Removes the entries of the given string list from the named lookup table. Returns the updated list on success and returns null on failure.This function only supports the MongoDB Lookup Table at the time of writing. |
lookup_remove_string_list(lookup_table, key, value)
|
lookup_set_string_list | Lookup | Sets a string list in the named lookup table. Returns the new value on success and returns null on failure.This function only supports the MongoDB Lookup Table at the time of writing. |
lookup_set_string_list(lookup_table:string, key:string, value:list)
|
lookup_set_value | Lookup | Sets a single value in the named lookup table. Returns the new value on success and returns null on failure.This function only supports the MongoDB Lookup Table at the time of writing. |
lookup_set_value(lookup_table, key, value)
|
lookup_string_list | Lookup | Looks up a string list value in the named lookup table.This function only supports the MongoDB Lookup Table at the time of writing. | lookup_string_list(lookup_table, key, [default])
|
lookup_string_list_contains | Boolean | Looks up value in the string list referenced by the key in the named lookup table. Returns true only if the key/value mapping is present, otherwise it returns false . |
lookup_string_list_contains (lookup_table, key, value)
|
lookup_value | Lookup |
Looks up a single |
lookup_value(lookup_table: string, key: any, [default: any])
|
lowercase | String | Converts a String to lower case. The locale (IETF BCP 47 language tag) defaults to en . |
lowercase(value: string, [locale: string])
|
Asset Enrichment |
Looks up a single machine asset. If multiple assets match the input parameters, only one will be returned. |
|
|
Asset Enrichment |
Updates the IP or MAC addresses for a machine asset. If multiple assets match the input parameters, only one will be selected. |
|
|
Map |
Retrieves a value from a map. |
|
|
Map |
Copies a map to a new map. |
|
|
Map |
Removes a key from the map. |
|
|
Map |
Sets a key in the map. |
|
|
md5 | String | Creates the hex-encoded MD5 digest of the value . |
md5(value: string)
|
metric_counter_inc | Debug | Counts specific metric criteria. The counter metric name will always be prefixed with org.graylog.rulemetrics . The default value is 1 if no increment value is specified. |
metric_counter_inc (name, [value]): Void
|
millis | Date/Time |
Creates a time period with a |
millis(value: long)
|
minutes | Date/Time |
Creates a time period with |
minutes(value: long)
|
months | Date/Time |
Creates a time period with |
months(value: long)
|
multi_grok |
Applies a list of Grok patterns to a string and returns the first match. |
multi_grok(patterns, value, [only_named_captures]) : GrokMatch$GrokResult
|
|
murmur3_128 | Encoding | Creates the hex-encoded MurmurHash3 (128-bit) digest of the value . |
murmur3_128(value: string)
|
murmur3_32 | Encoding | Creates the hex-encoded MurmurHash3 (32-bit) digest of the value . |
murmur3_32(value: string)
|
Message Handling |
Normalizes all field names by setting them to lowercase. |
|
|
now | Date/Time |
Returns the current See also: is_date |
now([timezone: string])
|
otx_lookup_domain | String |
Looks up AlienVault OTX threat intelligence data for a domain name. Requires a configured lookup table named |
otx_lookup_domain (domain_name: string) : OTXLookupResult
|
otx_lookup_ip | String |
Looks up AlienVault OTX threat intelligence data for an IPv4 or IPv6 address. Requires a configured lookup table named |
otx_lookup_ip (ip_address: string) : OTXLookupResult
|
String |
Parses any CEF-formatted string into its fields. This is the CEF string (starting with |
|
|
parse_date | Date/Time | Parses a date string using the given date format. | parse_date(value: string, pattern: string, [locale: string], [timezone: string])
|
parse_json | String |
Parses the See also: to_map |
parse_json(value: string)
|
parse_unix_milliseconds | Date/Time |
Attempts to parse a UNIX millisecond timestamp (milliseconds since 1970-01-01T00:00:00.000Z) into a proper See also: is_date |
parse_unix_milliseconds(value: long)
|
period | Date/Time |
Parses an ISO 8601 time period from See also: is_period, years, months, weeks, days, hours, minutes, seconds, millis |
period(value: string)
|
regex | Pattern Matching | Matches a string with a regular expression. Uses Java syntax. | regex(pattern: string, value: string, [group_names: array[string])
|
regex_replace | Pattern Matching |
Matches the regular expression in pattern against value and replaces it, if matched, with |
regex_replace(pattern: string, value: string, replacement: string,[replace_all: boolean])
|
Asset Enrichment |
Remove a list of categories from an asset. |
|
|
remove_field (legacy) | Message Handling |
Removes the given field with the name See instead: remove_single_field, remove_multiple_fields |
remove_field(field: string, [message: Message])
|
remove_from_stream | Message Handling |
Removes the If you want to discard the message entirely, use the |
remove_from_stream(id: string | name: string, [message: Message])
|
remove_multiple_fields | Message Handling | Removes fields matching a regular expression (regex) pattern and/or list of names, unless the field name is reserved. | remove_multiple_fields ([pattern: string],[names: list],[message: Message])
|
remove_single_field | Message Handling | Removes a single field from a message, unless the field name is reserved. | remove_single_field (field: string, [message: Message])
|
rename_field | Message Handling | Modifies the field name old_field to new_field in the given message, keeping the field value unchanged. |
rename_field(old_field: string, new_field: string, [message: Message])
|
replace | String |
Replaces the first |
replace(value: string, search: string, [replacement: string], [max: long])
|
route_to_stream | Message Handling |
Sets a stream assignment of the message to the given stream. Functions as 'copy' and does not remove the message from the current stream.
If |
route_to_stream(id: string | name: string, [message: Message], [remove_from_default: boolean])
|
seconds | Date/Time |
Create a time period with |
seconds(value: long)
|
select_jsonpath | Map |
Evaluates the given See also: is_json, parse_json |
select_jsonpath(json: JsonNode, paths: Map<string, string>)
|
Asset Enrichment |
Adds associated asset information. |
|
|
set_field | Message Handling |
Sets the given See also: set_fields |
set_field(field: string, value: any, [prefix: string], [suffix: string], [message: Message], [default: any, [clean_field: boolean])
|
set_fields | Message Handling |
Sets all of the given name-value pairs in |
set_fields(fields: Map<string, any>, [prefix: string], [suffix: string], [message: Message], [clean_fields: boolean)
|
sha1 | Encoding | Creates the hex-encoded SHA1 digest of the value . |
sha1(value: string)
|
sha256 | Encoding | Creates the hex-encoded SHA256 digest of the value . |
sha256(value: string)
|
sha512 | Encoding | Creates the hex-encoded SHA512 digest of the value . |
sha512(value: string)
|
Lookup |
Matches an IP address against the Spamhaus DROP and EDROP lists. |
|
|
split | String | Splits a string around matches of this pattern. Uses Java syntax. | split(pattern: string, value: string, [limit: int])
|
starts_with | String |
Checks if |
starts_with(value: string, prefix: string, [ignore_case: boolean])
|
string_array_add | String |
Adds the specified string (or string array) |
string_array_add(elements, value, [only_unique]) : list
|
string_entropy | String | Computes Shannon's entropy of the character distribution in the given string. | string_entropy (value: string, [default: double])
|
substring | String |
Returns a substring of |
substring(value: string, start: long, [end: long])
|
swapcase | String | Swaps the case of a String changing upper and title case to lower case and lower case to upper case. |
swapcase(value: string)
|
syslog_facility | Conversion | Converts the syslog facility number in value to its string representation. |
syslog_facility(value: any)
|
syslog_level | Conversion | Converts the syslog severity number in value to its string representation. |
syslog_level(value: any)
|
Lookup |
Matches a domain name against all enabled threat intel sources, except OTX. |
|
|
Lookup |
Matches an IP address against all enabled threat intel sources, except OTX. |
|
|
to_bool | Conversion | Converts the single parameter to a Boolean value using its string value. | to_bool(value: any)
|
to_date | Conversion |
Converts See also: is_date |
to_date(value: any, [timezone: string])
|
to_double | Conversion | Converts the first parameter to a double floating point value. | to_double(value: any, [default: double])
|
to_ip | Conversion |
Converts the given See also: cidr_match |
to_ip(ip: string)
|
to_long | Conversion | Converts the first parameter to a long integer value. | to_long(value: any, [default: long])
|
to_map | Conversion |
Converts the given map-like value to a valid map. The See also: set_fields, parse_json |
to_map(value: any)
|
to_string | Conversion | Converts the first parameter to its string representation. | to_string(value: any, [default: string])
|
to_url | Conversion | Converts the given url to a valid URL. |
to_url(url: any, [default: string])
|
Lookup |
Matches an IP address against known Tor exit nodes to identify connections from the Tor network. |
|
|
traffic_accounting_size | Message Handling |
Calculates the size of the entire message, including all extra fields. This is also the value used to determine how much the message counts toward license usage. |
traffic_accounting_size [(message)]: long
|
uncapitalize | String | Uncapitalizes a string, changing the first letter to lower case. | uncapitalize(value: string)
|
uppercase | String | Converts a string to upper case. The locale (IETF BCP 47 language tag) defaults to en . |
uppercase(value: string, [locale: string])
|
urldecode | String | Decodes an application/x-www-form-urlencoded string using a specific encoding scheme. | url decode (value:string, [charset:string])
|
urlencode | String | Translates a string into application/x-www-form-urlencoded format using a specific encoding scheme. Valid charsets are, for example, UTF-8 , US-ASCII , etc. Default is UTF-8 . |
url encode (value, [charset])
|
Asset Enrichment |
Looks up a single user asset. If multiple assets match the input parameters, only one will be returned. |
|
|
Watchlist |
Adds a value to a watchlist referenced by type. Returns true on success and false on failure and throws an exception if the watchlist is not configured correctly. |
|
|
Watchlist |
Looks up a value in the watchlist referenced by the type. Returns true on success and false on failure and throws an exception if the watchlist is not configured correctly. |
|
|
Watchlist |
Removes a value from a watchlist referenced by type. Returns true on success and false on failure and throws an exception if the watchlist is not configured correctly. |
|
|
weeks | Date/Time |
Creates a time period with |
weeks(value: long)
|
Lookup |
Retrieves WHOIS information for an IP address |
|
|
years | Date/Time |
Creates a time period with |
years(value: long)
|
Examples
Review the following examples for select functions referenced above.
array_contains
rule "array_contains"
when
true
then
set_field("contains_number", array_contains([1, 2, 3, 4, 5], 1));
set_field("does_not_contain_number", array_contains([1, 2, 3, 4, 5], 7));
set_field("contains_string", array_contains(["test", "test2"], "test"));
set_field("contains_string_case_insensitive", array_contains(["test", "test2"], "TEST"));
set_field("contains_string_case_sensitive", array_contains(["test", "test2"], "TEST", true));
end
array_remove
rule "array_remove"
when
true
then
set_field("remove_number", array_remove([1, 2, 3], 2));
set_field("remove_string", array_remove(["one", "two", "three"], "two"));
set_field("remove_missing", array_remove([1, 2, 3], 4));
set_field("remove_only_one", array_remove([1, 2, 2], 2));
set_field("remove_all", array_remove([1, 2, 2], 2, true));
end
concat
let build_message_0 = concat(to_string($message.protocol), " connect from ");
let build_message_1 = concat(build_message_0, to_string($message.src_ip));
let build_message_2 = concat(build_message_1, " to ");
let build_message_3 = concat(build_message_2, to_string($message.dst_ip));
let build_message_4 = concat(build_message_3, " Port ");
let build_message_5 = concat(build_message_4, to_string($message.dst_port));
set_field("message", build_message_5);
contains
contains(to_string($message.hostname), "example.org", true)
debug
Dropped message from <source>"let debug_message = concat("Dropped message from ", to_string($message.source));
debug(debug_message);`
drop_message
rule "drop messages over 16383 characters"
when
has_field("message") AND
regex(pattern: "^.{16383,}$", value: to_string($message.message)).matches == true
then
drop_message();
// added debug message to be notified about the dropped message
debug( concat("dropped oversized message from ", to_string($message.source)));
end
ends_with
Returns true
:
ends_with ( "Foobar Baz Quux" , "quux" , true );
Returns false
:
ends_with ( "Foobar Baz Quux" , "Baz" ); `
is_not_null
is_not_null(src_addr)
is_null
is_null(src_addr)
lookup
rule "dst_ip geoip lookup"
when
has_field("dst_ip")
then
let geo = lookup("geoip-lookup", to_string($message.dst_ip));
set_field("dst_ip_geolocation", geo["coordinates"]);
set_field("dst_ip_geo_country_code", geo["country"].iso_code);
set_field("dst_ip_geo_country_name", geo["country"].names.en);
set_field("dst_ip_geo_city_name", geo["city"].names.en);
end
lookup_all
rule "function lookup all"
when
true
then
let values = lookup_all("lut_name", ["key1", "key2", "key3"]);
set_field("values", values);
end
lookup_value
("ip_lookup", to_string($message.src_addr));
multi_grok
when
true
then
set_fields(
fields: multi_grok(
patterns: [
"^ABC %{IPORHOST:msg_ip}: %{GREEDYDATA:abc_message}",
"^123 %{IPORHOST:msg_ip}: %{GREEDYDATA:123_message}",
"^ABC2 %{IPORHOST:abc_ip}: %{GREEDYDATA:abc_message}"
],
value: to_string($message.message),
only_named_captures: true
)
);
end
otx_lookup_domain
rule "PARSE IP to DNS"
when
has_field("source_ip")
&& regex(
pattern: "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",
value: to_string($message.source_ip)
).matches == true
then
let rs = lookup_value("dns_lookups", to_string($message.source_ip));
set_field("source_ip_dns", to_string(rs));
end
otx_lookup_ip
rule "PARSE source_ip - otx-api-ip"
when
// validate message has a source_ip field
has_field("source_ip")
// validate that soruce IP is IPv4 format
&& regex(
pattern: "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",
value: to_string($message.source_ip)
).matches == true
then
let rs = otx_lookup_ip(to_string($message.source_ip));
set_fields(rs);
end
parse_unix_milliseconds
set_field ( "timestamp" , timestamp );
regex_replace
let username = regex_replace(".*user: (.*)", to_string($message.message), "$1");
replace
let new_field = replace(to_string($message.message), "oo", "u"); // "fu ruft uta"
let new_field = replace(to_string($message.message), "oo", "u", 1); // "fu rooft oota"
route_to_stream
route_to_stream(id: "512bad1a535b43bd6f3f5e86");
starts_with
Returns true
:
starts_with ( "Foobar Baz Quux" , "foo" , true );
Returns false
:
starts_with ( "Foobar Baz Quux" , "Quux" );
string_array_add
rule "string_array_add"
when
true
then
set_field("add_number_to_string_array_converted", string_array_add(["1", "2"], 3));
set_field("add_number_array_to_string_array_converted", string_array_add(["1", "2"], [3, 4]));
set_field("add_string", string_array_add(["one", "two"], "three"));
set_field("add_string_again", string_array_add(["one", "two"], "two"));
set_field("add_string_again_unique", string_array_add(["one", "two"], "two", true));
set_field("add_array_to_array", string_array_add(["one", "two"], ["three", "four"]));
end
substring
= substring(to_string($message.message), 0, 20);
to_map
let json = parse_json(to_string($message.json_payload));
let map = to_map(json);
set_fields(map);
traffic_accounting_size
set_field(
field: "license_usage",
value: traffic_accounting_size() // size in bytes
//value: traffic_accounting_size() / 1024 // size in kb
);