Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides

Cribl Expressions

Native Cribl function methods can be found under C.* and can be invoked from any function that allows for expression evaluations. For example, to create a field that is the SHA1 of a another field's value you can use the Eval function:

Name
Value Expression

myNewField

C.Mask.sha1(myOtherField)

C.Crypto - Data encryption and decryption functions


C.Crypto.decrypt
method Crypto.decrypt(value: string): string
Decrypt all occurrences of ciphers in the given value. Instances that cannot be decrypted (for any reason) are left intact.
@param - value - string where to look for ciphers
@returns - - value with ciphers decrypted

C.Crypto.encrypt
(method) Crypto.encrypt(value: any, keyclass: number, keyId?: string, defaultVal?: string): string
Encrypt the given value with the keyId or a keyId picked up automatically based on keyclass

@param {string | Buffer} value - what to encrypt
@param - keyclass - if keyId isn't specified, pick one at the given keyclass.
@param - keyId - encryption keyId, takes precedence over keyclass
@param - defaultVal - what to return if encryptions fails for any reason, if unspecified the original value is returned
@returns - - if encryption succeeds the encrypted value, otherwise defaultVal if specifier, otherwise value.

C.Decode - Data decoding functions


C.Decode.base64
(method) Decode.base64(val: string, resultEnc?: string): any
Performs base64 decoding of the given string and returns a string or Buffer depending on resultEnc value, which defaults to 'utf8'
@param - val value to base64 decode
@param - resultEnc encoding to use to convert the binary data to a string. defaults to 'utf8', use 'utf8-valid' to validate result is valid UTF8, use 'buffer' if you need the binary data in a Buffer.

C.Decode.hex
(method) Decode.hex(val: string): number
Performs hex to number conversion. Returns NaN if value cannot be converted to a number
@param - val hex string to parse to a number (eg. 0xcafe)

C.Decode.uri
(method) Decode.uri(val: string): string
Performs uri decoding of the given string
@param - val value to uri decode

C.Encode - Data encoding functions


C.Encode.base64
(method) Encode.base64(val: any, trimTrailEq?: boolean): string
Returns a base64 representation of the given string or Buffer
@param - val value to base64 encode
@param - trimTrailEq whether to trim any trailing =

C.Encode.hex
(method) Encode.hex(val: string | number): string
Rounds the number to an integer and returns it's hex representation (lower case). If a string is provided it will be parsed into a number or NaN.
@param - val value to convert to hex

C.Encode.uri
(method) Encode.uri(val: string): string
Returns the uri encoded representation of the given string
@param - val value to uri encode

C.Mask - Data Masking Functions


C.Mask.CC
(method) Mask.CC(value: string, unmasked?: number, maskChar?: string): string
Check that value could be a valid credit card number and mask a subset of the value. By default all digits except the last 4 will be replaced with X.
@param - value - a string whose digits to mask iff it could be a valid credit card number
@param - unmasked - number of unmasked digits, positive for left, negative for right, 0 for none
@param - maskChar - a string/char to replace a digit with

C.Mask.IMEI
(method) Mask.IMEI(value: string, unmasked?: number, maskChar?: string): string
Check that value could be a vlaid IMEI number and mask a subset of the value. By default all digits except the last 4 will be replaced with X.
@param - value - a string whose digits to mask iff it could be a valid IMEI number
@param - unmasked - number of unmasked digits, positive for left, negative for right, 0 for none
@param - maskChar - a string/char to replace a digit with

C.Mask.isCC
(method) Mask.isCC(value: string): boolean
Checks that the given value could be a valid credit card number, by computing the string's Lunh's checksum modulo 10 == 0
@param - value - a string to check for being a valid credit card number

C.Mask.isIMEI
(method) Mask.isIMEI(value: string): boolean
Checks that the given value could be a valid IMEI number, by computing the string's Lunh's checksum modulo 10 == 0
@param - value - a string to check for being a valid IMEI number

C.Mask.luhn
(method) Mask.luhn(value: string, unmasked?: number, maskChar?: string): string
Check that value Lunh's checksum moad 10 is 0 and mask a subset of the value. By default all digits except the last 4 will be replaced with X. If the value's Lunh's checksum mod 10 is not 0, then the value is returned unmodified.
@param - value - a string whose digits to mask iff the value's Lunh's checksum mod 10 is 0
@param - unmasked - number of unmasked digits, positive for left, negative for right, 0 for none
@param - maskChar - a string/char to replace a digit with

C.Mask.LUHN_SUB
(property) Mask.LUHN_SUB: any

C.Mask.luhnChecksum
(method) Mask.luhnChecksum(value: string, mod?: number): number
Generates the Luhn checksum (used to validate certain credit card numbers, imei etc) By default the mod 10 of the checksum is returned, pass mod = 0 to get actual checksum
@param - value a string whose digits you want to perform the Lunh checksum on
@param - mod return checksum module this number, if 0 skip modulo, default is 10

C.Mask.md5
(method) Mask.md5(value: string, len?: string | number): string
Generate MD5 hash of given value
@param - value compute hash of this
@param - len length of hash to return: 0 for full hash, a +number for left or a -number for right substring. If a string is passed it's length will be used

C.Mask.random
(method) Mask.random(len?: string | number): string
Generates a random alphanumeric string
@param - len a number indicating the length or the result, or if a string use it's length

C.Mask.REDACTED
(property) Mask.REDACTED: string
The literal 'REDACTED'

C.Mask.repeat
(method) Mask.repeat(len?: string | number, char?: string): string
Generates a repeating char/string pattern, e.g XXXX
@param - len a number indicating the length or the result, or if a string use it's length
@param - char pattern which to repeat len times

C.Mask.sha1
(method) Mask.sha1(value: string, len?: string | number): string
Generate SHA1 hash of given value
@param - value - compute hash of this
@param - len - length of hash to return: 0 for full hash, a +number for left or a -number for right substring. If a string is passed it's length will be used

C.Net - Network Functions


C.Net.cidrMatch()
(method) Net.cidrMatch(cidrIpRange: string, ipAddress: string): boolean
Determines if the supplied IPv4 ipAddress is inside the range of addresses identified by cidrIpRange. For example: C.Net.cidrMatch ('10.0.0.0/24', '10.0.0.100') returns true
@param - cidrIpRange - IPv4 address range in cidr format. E.g., 10.0.0.0/24
@param - ipAddress - The IPv4 IP address to test for inclusion in cidrIpRange

C.Net.ipv6Normalize()
(method) Net.ipv6Normalize(address: string): string
Normalize an IPV6 address based on RFC draft-ietf-6man-text-addr-representation-04
@param - address - the IPV6 address to normalize

C.Net.isPrivate()
(method) Net.isPrivate(address: string): string
Determine if the supplied IPv4 address is in the range of private addresses per RFC1819.
@param - address - address to test

C.os - System Functions


C.os.hostname()
Returns hostname of system running this Cribl instance.

C.Text - Text Functions


C.Text.entropy()
(method) Text.entropy(bytes: any): number
Computes the Shannon entropy of the given buffer or string.
@param - bytes - value to compute Shanon entropy of.
@returns - the entropy value or -1 in case of an error.

C.Text.hashCode()
(method) Text.hashCode(val: string | Buffer | number): number
Computes hashcode (djb2) of the given value.
@param - val - value to compute the hash of
@returns - hashcode value

C.Text.isASCII()
(method) Text.isASCII(bytes: any): boolean
Checks whether all bytes or chars are in the ASCII printable range.
@param - bytes - value to check for character range.
@returns - true if all chars/bytes are within ASCII printable range, false otherwise.

C.Text.isUTF8()
(method) Text.isUTF8(bytes: any): boolean
Checks whether the given Buffer contains valid UTF8
@param - bytes - bytes to check.
@returns - true if bytes are UTF8, false otherwise.

C.Text.relativeEntropy()
(method) Text.relativeEntropy(bytes: any, modelName?: string): number
Computes the relative entropy of the given buffer or string
@param - bytes - value to compute relative entropy of
@param - string modelName - The name of the model to test string with.
@returns - the relative entropy value or -1 in case of an error

C.Time - Time Functions


C.Time.strftime()
(method) Time.strftime(date: number | Date, format: string, utc?: boolean): string
Format a [Date][1] or number as a time string using [strftime specifier][2] [1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date [2]: https://github.com/d3/d3-time-format#api-reference
@param - date - Date object or number (seconds since epoc) to format
@param - format - specifier to use to format the date
@param - utc - whether to output the time in UTC rather than local timezone
@returns - representation of the given date

C.Time.strptime()
(method) Time.strptime(str: string, format: string, utc?: boolean, strict?: boolean): Date
Extract time from a string using [strptime specifier][2] - if successful a [Date][1] object is returned otherwise null. [1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date [2]: https://github.com/d3/d3-time-format#locale_format
@param - str - string to parse to a timestamp (see strict flag)
@param - format - strptime specifier
@param - utc - whether to interpret times as UTC rather than local time
@param - strict - whether to return null if there are any extra characters after timestamp
@returns - the parsed date or null if the specifier did not match

C.Time.timestampFinder()
(method) Time.timestampFinder(utc?: boolean): AutoTimeParser

Cribl Expressions


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.