Crib LogStream - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.1

    Docs Home

Cribl Expressions

Native Cribl LogStream function methods can be found under C.* and can be invoked from any function that allows for expression evaluations. For example, to create a field that is the SHA1 of a another field's value you can use the Eval function:

Name
Value Expression

myNewField

C.Mask.sha1(myOtherField)

C.Crypto - Data encryption and decryption functions


C.Crypto.decrypt
method Crypto.decrypt(value: string): string
Decrypt all occurrences of ciphers in the given value. Instances that cannot be decrypted (for any reason) are left intact.
@param - value - string where to look for ciphers
@returns - - value with ciphers decrypted

C.Crypto.encrypt
(method) Crypto.encrypt(value: any, keyclass: number, keyId?: string, defaultVal?: string): string
Encrypt the given value with the keyId or a keyId picked up automatically based on keyclass

@param {string | Buffer} value - what to encrypt
@param - keyclass - if keyId isn't specified, pick one at the given keyclass.
@param - keyId - encryption keyId, takes precedence over keyclass
@param - defaultVal - what to return if encryptions fails for any reason, if unspecified the original value is returned
@returns - - if encryption succeeds the encrypted value, otherwise defaultVal if specifier, otherwise value.

C.Decode - Data decoding functions


C.Decode.base64
(method) Decode.base64(val: string, resultEnc?: string): any
Performs base64 decoding of the given string and returns a string or Buffer depending on resultEnc value, which defaults to 'utf8'
@param - val value to base64 decode
@param - resultEnc encoding to use to convert the binary data to a string. defaults to 'utf8', use 'utf8-valid' to validate result is valid UTF8, use 'buffer' if you need the binary data in a Buffer.

C.Decode.gzip
(method) Decode.gzip(value: any, encoding?: string): string
Gunzip the supplied value.
@param - value The value to gunzip.
@param - encoding Encoding of value, for example: 'base64', 'hex', 'utf-8', 'binary'; default is 'base64'. If data received as Buffer (from gzip with encoding:'none') decoding is skipped.

C.Decode.hex
(method) Decode.hex(val: string): number
Performs hex to number conversion. Returns NaN if value cannot be converted to a number
@param - val hex string to parse to a number (eg. 0xcafe)

C.Decode.uri
(method) Decode.uri(val: string): string
Performs uri decoding of the given string
@param - val value to uri decode

C.Encode - Data encoding functions


C.Encode.base64
(method) Encode.base64(val: any, trimTrailEq?: boolean): string
Returns a base64 representation of the given string or Buffer
@param - val value to base64 encode
@param - trimTrailEq whether to trim any trailing =

C.Encode.gzip
(method) Encode.gzip(value: string, encoding?: string): any
Gzip and optionally base64 encode the supplied value.
@param - value The value to gzip.
@param - encoding Encoding of value, for example: 'base64', 'hex', 'utf-8', 'binary', 'none'; default is 'base64'. If 'none' is specified data will be returned as a Buffer.

C.Encode.hex
(method) Encode.hex(val: string | number): string
Rounds the number to an integer and returns it's hex representation (lower case). If a string is provided it will be parsed into a number or NaN.
@param - val value to convert to hex

C.Encode.uri
(method) Encode.uri(val: string): string
Returns the uri encoded representation of the given string
@param - val value to uri encode

C.env - Environment


C.env
(property) env: {[key: string]: string;}
An object containing the environment variables

C.Lookup - Inline Lookup Functions


C.Lookup - Exact Lookup
(property) Lookup: (file: string, primaryKey?: string, otherFields?: string[]) => InlineLookup
Returns an instance of a lookup to use inline

C.LookupCIDR - CIDR Lookup
(property) Lookup: (file: string, primaryKey?: string, otherFields?: string[]) => InlineLookup
Returns an instance of a CIDR lookup to use inline

C.LookupRegex - Regex Lookup
(property) Lookup: (file: string, primaryKey?: string, otherFields?: string[]) => InlineLookup
Returns an instance of a Regex lookup to use inline

(method) InlineLookup.match(value: string, fieldToReturn?: string): any
@param - value the value to lookup
@param - fieldToReturn name of the lookup file field to return

E.g., C.Lookup('lookup-exact.csv', 'foo').match('abc', 'bar')
Return the value of field bar if field foo matches abc.

Example 1: C.LookupCIDR('lookup-cidr.csv', 'foo').match('192.168.1.1', 'bar')
Return the value of field bar if the CIDR range in foo includes 192.168.1.1.

Example 2: C.LookupCIDR('lookup-cidr.csv', 'cidr').match(hostIP, 'location')

Example 3: C.LookupRegex('lookup-regex.csv', 'foo').match('manchester', 'bar')
Return the value of field bar if the Regex in foo matches the string manchester.

C.Mask - Data Masking Functions


C.Mask.CC
(method) Mask.CC(value: string, unmasked?: number, maskChar?: string): string
Check that value could be a valid credit card number and mask a subset of the value. By default all digits except the last 4 will be replaced with X.
@param - value - a string whose digits to mask iff it could be a valid credit card number
@param - unmasked - number of unmasked digits, positive for left, negative for right, 0 for none
@param - maskChar - a string/char to replace a digit with

C.Mask.IMEI
(method) Mask.IMEI(value: string, unmasked?: number, maskChar?: string): string
Check that value could be a vlaid IMEI number and mask a subset of the value. By default all digits except the last 4 will be replaced with X.
@param - value - a string whose digits to mask iff it could be a valid IMEI number
@param - unmasked - number of unmasked digits, positive for left, negative for right, 0 for none
@param - maskChar - a string/char to replace a digit with

C.Mask.isCC
(method) Mask.isCC(value: string): boolean
Checks that the given value could be a valid credit card number, by computing the string's Lunh's checksum modulo 10 == 0
@param - value - a string to check for being a valid credit card number

C.Mask.isIMEI
(method) Mask.isIMEI(value: string): boolean
Checks that the given value could be a valid IMEI number, by computing the string's Lunh's checksum modulo 10 == 0
@param - value - a string to check for being a valid IMEI number

C.Mask.luhn
(method) Mask.luhn(value: string, unmasked?: number, maskChar?: string): string
Check that value Lunh's checksum moad 10 is 0 and mask a subset of the value. By default all digits except the last 4 will be replaced with X. If the value's Lunh's checksum mod 10 is not 0, then the value is returned unmodified.
@param - value - a string whose digits to mask iff the value's Lunh's checksum mod 10 is 0
@param - unmasked - number of unmasked digits, positive for left, negative for right, 0 for none
@param - maskChar - a string/char to replace a digit with

C.Mask.LUHN_SUB
(property) Mask.LUHN_SUB: any

C.Mask.luhnChecksum
(method) Mask.luhnChecksum(value: string, mod?: number): number
Generates the Luhn checksum (used to validate certain credit card numbers, imei etc) By default the mod 10 of the checksum is returned, pass mod = 0 to get actual checksum
@param - value a string whose digits you want to perform the Lunh checksum on
@param - mod return checksum module this number, if 0 skip modulo, default is 10

C.Mask.md5
(method) Mask.md5(value: string, len?: string | number): string
Generate MD5 hash of given value
@param - value compute hash of this
@param - len length of hash to return: 0 for full hash, a +number for left or a -number for right substring. If a string is passed it's length will be used

C.Mask.random
(method) Mask.random(len?: string | number): string
Generates a random alphanumeric string
@param - len a number indicating the length or the result, or if a string use it's length

C.Mask.REDACTED
(property) Mask.REDACTED: string
The literal 'REDACTED'

C.Mask.repeat
(method) Mask.repeat(len?: string | number, char?: string): string
Generates a repeating char/string pattern, e.g XXXX
@param - len a number indicating the length or the result, or if a string use it's length
@param - char pattern which to repeat len times

C.Mask.sha1
(method) Mask.sha1(value: string, len?: string | number): string
Generate SHA1 hash of given value
@param - value - compute hash of this
@param - len - length of hash to return: 0 for full hash, a +number for left or a -number for right substring. If a string is passed it's length will be used

C.Net - Network Functions


C.Net.cidrMatch()
(method) Net.cidrMatch(cidrIpRange: string, ipAddress: string): boolean
Determines if the supplied IPv4 ipAddress is inside the range of addresses identified by cidrIpRange. For example: C.Net.cidrMatch ('10.0.0.0/24', '10.0.0.100') returns true
@param - cidrIpRange - IPv4 address range in cidr format. E.g., 10.0.0.0/24
@param - ipAddress - The IPv4 IP address to test for inclusion in cidrIpRange

C.Net.ipv6Normalize()
(method) Net.ipv6Normalize(address: string): string
Normalize an IPV6 address based on RFC draft-ietf-6man-text-addr-representation-04
@param - address - the IPV6 address to normalize

C.Net.isPrivate()
(method) Net.isPrivate(address: string): string
Determine if the supplied IPv4 address is in the range of private addresses per RFC1819.
@param - address - address to test

C.os - System Functions


C.confVersion
Returns Cribl LogStream config version.

C.os.hostname()
Returns hostname of system running this Cribl LogStream instance.

C.Schema - Schema Functions


C.Schema()
(property) Schema: (id: string) => SchemaValidator
(method) SchemaValidator.validate(data: any): boolean
Validates the given object against the schema
@param - data object to be validated
@returns - true when schema is valid, otherwise false

e.g., C.Schema('schema1').validate(myField) will validate if myField object conforms schema1 .

See Schema Library for more details.

C.Text - Text Functions


C.Text.entropy()
(method) Text.entropy(bytes: any): number
Computes the Shannon entropy of the given buffer or string.
@param - bytes - value to compute Shanon entropy of.
@returns - the entropy value or -1 in case of an error.

C.Text.hashCode()
(method) Text.hashCode(val: string | Buffer | number): number
Computes hashcode (djb2) of the given value.
@param - val - value to compute the hash of
@returns - hashcode value

C.Text.isASCII()
(method) Text.isASCII(bytes: any): boolean
Checks whether all bytes or chars are in the ASCII printable range.
@param - bytes - value to check for character range.
@returns - true if all chars/bytes are within ASCII printable range, false otherwise.

C.Text.isUTF8()
(method) Text.isUTF8(bytes: any): boolean
Checks whether the given Buffer contains valid UTF8
@param - bytes - bytes to check.
@returns - true if bytes are UTF8, false otherwise.

C.Text.relativeEntropy()
(method) Text.relativeEntropy(bytes: any, modelName?: string): number
Computes the relative entropy of the given buffer or string
@param - bytes - value to compute relative entropy of
@param - string modelName - The name of the model to test string with.
@returns - the relative entropy value or -1 in case of an error

C.Time - Time Functions


C.Time.strftime()
(method) Time.strftime(date: number | Date, format: string, utc?: boolean): string
Format a [Date][1] or number as a time string using [strftime specifier][2] [1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date [2]: https://github.com/d3/d3-time-format#api-reference
@param - date - Date object or number (seconds since epoc) to format
@param - format - specifier to use to format the date
@param - utc - whether to output the time in UTC rather than local timezone
@returns - representation of the given date

C.Time.strptime()
(method) Time.strptime(str: string, format: string, utc?: boolean, strict?: boolean): Date
Extract time from a string using [strptime specifier][2] - if successful a [Date][1] object is returned otherwise null. [1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date [2]: https://github.com/d3/d3-time-format#locale_format
@param - str - string to parse to a timestamp (see strict flag)
@param - format - strptime specifier
@param - utc - whether to interpret times as UTC rather than local time
@param - strict - whether to return null if there are any extra characters after timestamp
@returns - the parsed date or null if the specifier did not match

C.Time.timestampFinder()
(method) Time.timestampFinder(utc?: boolean): AutoTimeParser

C.vars - Global Variables

See Global Variables Library for more details.

C.version - Cribl LogStream Version

(property) version: string
Cribl LogStream Version

Updated 17 days ago

Cribl Expressions


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.