As we describe features and concepts it helps to have a mental model of Cribl as a system that receives events from various sources, processes them, and then sends them to one ore more destinations.
At its core a function is a piece of code that executes on an event and it encapsulates the smallest amount of processing that can happen to that event. For instance, a simple function can be one that replaces the term
bar on each event. Another one can hash or encrypt
bar and yet another can add a field, say,
dc=jfk-42 to any event with
source=*us-nyc-application.log. Functions are invoked on each event that passes thru them. To help improve performance, functions can be optionally configured with additional filters to further scope their invocation on matching events only. More details on functions.
A series of functions is called a pipeline and the order in which they are executed matters. Events are delivered at the beginning of a pipeline (by a Route, see below) and as they're processed by a function they are passed to next one down the line. Events only move forward, towards the end of the pipeline and eventually out of the system. More details on pipelines.
Routes are the Cribl mechanisms that apply filter expressions on incoming events and find the appropriate pipeline to send them to. When multiple Routes exist in a system they are evaluated in order. A Route can be associated only with one pipeline. By default, a Route-Pipeline pair will consume matching events. However, if the
Final flag is disabled, one or more clones are sent down the pipeline while the original event continues down the routes. This is very useful in cases where the same set of events needs to be processed differently and delivered to different destinations. More details on routes.