Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up)
Download entire manual as PDF - v2.3.3

Cribl Expressions

Native Cribl LogStream function methods can be found under C.*, and can be invoked from any Function that allows for expression evaluations. For example, to create a field that is the SHA1 of a another field's value, you can use the Eval Function with this Evaluate Fields pair:

Name

Value Expression

myNewField

C.Mask.sha1(myOtherField)

C.Crypto – Data Encryption and Decryption Functions

C.Crypto.decrypt
(method) Crypto.decrypt(value: string): string
Decrypt all occurrences of ciphers in the given value. Instances that cannot be decrypted (for any reason) are left intact.
@param – value – string in which to look for ciphers
@returns – value with ciphers decrypted

C.Crypto.encrypt
(method) Crypto.encrypt(value: any, keyclass: number, keyId?: string, defaultVal?: string): string
Encrypt the given value with the keyId, or with a keyId picked up automatically based on keyclass.

@param {string | Buffer} value - what to encrypt.
@param – keyclass – if keyId isn't specified, pick one at the given keyclass.
@param – keyId - encryption keyId, takes precedence over keyclass.
@param – defaultVal – what to return if encryption fails for any reason; if unspecified, the original value is returned.
@returns – if encryption succeeds, the encrypted value; otherwise, defaultVal if specified; otherwise, value.

C.Decode – Data Decoding Functions

C.Decode.base64
(method) Decode.base64(val: string, resultEnc?: string): any
Performs base64 decoding of the given string. Returns a string or Buffer, depending on the resultEnc value, which defaults to 'utf8'.
@param – val – value to base64-decode
@param – resultEnc – encoding to use to convert the binary data to a string. Defaults to 'utf8'. Use 'utf8‑valid' to validate that result is valid UTF8; use 'buffer' if you need the binary data in a Buffer.

C.Decode.gzip
(method) Decode.gzip(value: any, encoding?: string): string
Gunzip the supplied value.
@param – value – the value to gunzip.
@param – encoding – encoding of value, for example: 'base64', 'hex', 'utf-8', 'binary'. Default is 'base64'. If data is received as Buffer (from gzip with encoding:'none'), decoding is skipped.

C.Decode.hex
(method) Decode.hex(val: string): number
Performs hex to number conversion. (Returns NaN if value cannot be converted to a number.)
@param – val – hex string to parse to a number (e.g., "0xcafe").

C.Decode.uri
(method) Decode.uri(val: string): string
Performs URI-decoding of the given string.
@param – val – value to URI-decode.

C.Encode – Data Encoding Functions

C.Encode.base64
(method) Encode.base64(val: any, trimTrailEq?: boolean): string
Returns a base64 representation of the given string or Buffer.
@param – val – value to base64-encode.
@param – trimTrailEq – whether to trim any trailing =.

C.Encode.gzip
(method) Encode.gzip(value: string, encoding?: string): any
Gzip, and optionally base64-encode, the supplied value.
@param – value – the value to gzip.
@param – encoding – encoding of value, for example: 'base64', 'hex', 'utf-8', 'binary', 'none'. Default is 'base64'. If 'none' is specified, data will be returned as a Buffer.

C.Encode.hex
(method) Encode.hex(val: string | number): string
Rounds the number to an integer and returns its hex representation (lowercase). If a string is provided, it will be parsed into a number or NaN.
@param – val – value to convert to hex.

C.Encode.uri
(method) Encode.uri(val: string): string
Returns the URI-encoded representation of the given string.
@param – val – value to uri encode.

C.env – Environment

C.env
(property) env: {[key: string]: string;}
An object containing the environment variables.

C.Lookup – Inline Lookup Functions

C.Lookup – Exact Lookup
(property) Lookup: (file: string, primaryKey?: string, otherFields?: string[], ignoreCase?: boolean) => InlineLookup
Returns an instance of a lookup to use inline.

C.LookupCIDR – CIDR Lookup
(property) LookupCIDR: (file: string, primaryKey?: string, otherFields?: string[]) => InlineLookup
Returns an instance of a CIDR lookup to use inline.

C.LookupIgnoreCase – Case-insensitive Lookup
(property) LookupIgnoreCase: (file: string, primaryKey?: string, otherFields?: string[]) => InlineLookup
Returns an instance of a lookup (ignoring case) to use inline. Works identically to C.Lookup, except ignores the case of lookup values. (Equivalent to calling C.Lookup with its fourth ignoreCase? parameter set to true).

C.[LookupRegex](http://google.com) - Regex Lookup
(property) LookupRegex: (file: string, primaryKey?: string, otherFields?: string[]) => InlineLookup
Returns an instance of a Regex lookup to use inline.

(method) InlineLookup.match(value: string, fieldToReturn?: string): any
@param – value – the value to look up.
@param – fieldToReturn – name of the lookup file > field to return.

E.g., C.Lookup('lookup-exact.csv', 'foo').match('abc', 'bar')
Return the value of field bar in the lookup table if field foo matches abc.

Example 1: C.LookupCIDR('lookup-cidr.csv', 'foo').match('192.168.1.1', 'bar')
Return the value of field bar in the lookup table if the CIDR range in foo includes 192.168.1.1.

Example 2: C.LookupCIDR('lookup-cidr.csv', 'cidr').match(hostIP, 'location')

Example 3: C.LookupRegex('lookup-regex.csv', 'foo').match('manchester', 'bar')
Return the value of field bar in the lookup table if the regex in foo matches the string manchester.

C.Mask – Data Masking Functions

C.Mask.CC
(method) Mask.CC(value: string, unmasked?: number, maskChar?: string): string
Check whether a value could be a valid credit card number, and mask a subset of the value. By default, all digits except the last 4 will be replaced with X.
@param – value – a string whose digits to mask IFF it could be a valid credit card number.
@param – unmasked – number of digits to leave unmasked: positive for left, negative for right, 0 for none.
@param – maskChar – a string/char to replace a digit with.

C.Mask.IMEI
(method) Mask.IMEI(value: string, unmasked?: number, maskChar?: string): string
Check whether a value could be a vlaid IMEI number, and mask a subset of the value. By default, all digits except the last 4 will be replaced with X.
@param – value – a string whose digits to mask IFF it could be a valid IMEI number.
@param – unmasked – number of digits to leave unmasked: positive for left, negative for right, 0 for none.
@param – maskChar – a string/char to replace a digit with.

C.Mask.isCC
(method) Mask.isCC(value: string): boolean
Checks whether the given value could be a valid credit card number, by computing the string's Lunh's checksum modulo 10 == 0.
@param – value – a string to check for being a valid credit card number.

C.Mask.isIMEI
(method) Mask.isIMEI(value: string): boolean
Checks whether the given value could be a valid IMEI number, by computing the string's Lunh's checksum modulo 10 == 0.
@param – value – a string to check for being a valid IMEI number

C.Mask.luhn
(method) Mask.luhn(value: string, unmasked?: number, maskChar?: string): string
Check that value Lunh's checksum mod 10 is 0, and mask a subset of the value. By default, all digits except the last 4 will be replaced with X. If the value's Lunh's checksum mod 10 is not 0, then the value is returned unmodified.
@param – value – a string whose digits to mask IFF the value's Lunh's checksum mod 10 is 0.
@param – unmasked – number of digits to leave unmasked: positive for left, negative for right, 0 for none.
@param – maskChar – a string/char to replace a digit with.

C.Mask.LUHN_SUB
(property) Mask.LUHN_SUB: any

C.Mask.luhnChecksum
(method) Mask.luhnChecksum(value: string, mod?: number): number
Generates the Luhn checksum (used to validate certain credit card numbers, IMEIs, etc.). By default, the modΒ 10 of the checksum is returned. Pass mod = 0 to get the actual checksum.
@param – value – a string whose digits you want to perform the Lunh checksum on.
@param – mod – return checksum modulo this number. If 0, skip modulo. Default is 10.

C.Mask.md5
(method) Mask.md5(value: string, len?: string | number): string
Generate MD5 hash of a given value.
@param – value – compute the hash of this.
@param – len – length of hash to return: 0 for full hash, a +number for left or a -number for right substring. If a string is passed it's length will be used.

C.Mask.random
(method) Mask.random(len?: string | number): string
Generates a random alphanumeric string.
@param – len – a number indicating the length of the result; or, if a string, use its length.

C.Mask.REDACTED
(property) Mask.REDACTED: string
The literal 'REDACTED'.

C.Mask.repeat
(method) Mask.repeat(len?: string | number, char?: string): string
Generates a repeating char/string pattern, e.g., XXXX.
@param – len – a number indicating the length of the result; or, if a string, use its length.
@param – char – pattern to repeat len times.

C.Mask.sha1
(method) Mask.sha1(value: string, len?: string | number): string
Generate SHA1 hash of given value.
@param – value - compute the hash of this.
@param – len - length of hash to return: 0 for full hash, a +number for left, or a -number for right.
substring. If a string is passed, its length will be used

C.Misc – Miscellaneous Utility Functions

C.Misc.zip()
(method) Misc.zip(keys: string[], values: any[], dest?: any): any
Set the given keys to the corresponding values on the given dest object. If dest is not provided, a new object will be constructed.
@param – keys – field names corresponding to values.
@param – values – values corresponding to keys.
@param – dest – object on which to set field values.
@returns – object on which the fields were set.

E.g., people = C.Misc.zip(titles, names)
Sample data: titles=['ceo', 'svp', 'vp'], names=['foo', 'bar', 'baz']
Create an object called people, with key names from elements in titles, and with corresponding values from elements in names.
Result: "people": {"ceo": "foo", "svp": "bar", "vp": "baz"}

C.Net – Network Functions

C.Net.cidrMatch()
(method) Net.cidrMatch(cidrIpRange: string, ipAddress: string): boolean
Determines whether the supplied IPv4 ipAddress is inside the range of addresses identified by cidrIpRange. For example: C.Net.cidrMatch ('10.0.0.0/24', '10.0.0.100') returns true.
@param – cidrIpRange – IPv4 address range in CIDR format. E.g., 10.0.0.0/24.
@param – ipAddress – The IPv4 IP address to test for inclusion in cidrIpRange.

C.Net.ipv6Normalize()
(method) Net.ipv6Normalize(address: string): string
Normalize an IPV6 address based on RFC draft-ietf-6man-text-addr-representation-04.
@param – address – the IPV6 address to normalize.

C.Net.isPrivate()
(method) Net.isPrivate(address: string): string
Determine whether the supplied IPv4 address is in the range of private addresses per RFC1819.
@param – address – address to test.

C.os – System Functions

C.confVersion
Returns Cribl LogStream config version.

C.os.hostname()
Returns hostname of the system running this Cribl LogStream instance.

C.Schema – Schema Functions

C.Schema()
(property) Schema: (id: string) => SchemaValidator
(method) SchemaValidator.validate(data: any): boolean
Validates the given object against the schema.
@param – data – object to be validated.
@returns – true when schema is valid; otherwise, false.

Example: C.Schema('schema1').validate(myField) will validate if myField object conforms to schema1.

See Schema Library for more details.

C.Text – Text Functions

C.Text.entropy()
(method) Text.entropy(bytes: any): number
Computes the Shannon entropy of the given buffer or string.
@param – bytes – value to undergo Shannon entropy computation.
@returns – the entropy value; or -1 in case of an error.

C.Text.hashCode()
(method) Text.hashCode(val: string | Buffer | number): number
Computes hashcode (djb2) of the given value.
@param – val - value to be hashed.
@returns – hashcode value.

C.Text.isASCII()
(method) Text.isASCII(bytes: any): boolean
Checks whether all bytes or chars are in the ASCII printable range.
@param – bytes – value to check for character range.
@returns – true if all chars/bytes are within ASCII printable range; otherwise, false.

C.Text.isUTF8()
(method) Text.isUTF8(bytes: any): boolean
Checks whether the given Buffer contains valid UTF8.
@param – bytes – bytes to check.
@returns – true if bytes are UTF8; otherwise, false.

C.Text.relativeEntropy()
(method) Text.relativeEntropy(bytes: any, modelName?: string): number
Computes the relative entropy of the given buffer or string.
@param – bytes – value whose relative entropy to compute.
@param – modelName – Name of the model to test the string with.
@returns – the relative entropy value, or -1 in case of an error.

C.Time – Time Functions

C.Time.adjustTZ()
(method) Time.adjustTZ(epochTime: number, tzTo: string, tzFrom?: string): number
Adjust a timestamp from one timezone to another.
@param – epochTime – UNIX epoch time.
@param – tzTo – timezone to adjust to.
@param – tzFrom – optional timezone of the timestamp.

C.Time.strftime()
(method) Time.strftime(date: number | Date, format: string, utc?: boolean): string
Format a Date object or number as a time string, using strftime specifier.
@param – date – Date object or number (seconds since epoch) to format.
@param – format – specifier to use to format the date.
@param – utc – whether to output the time in UTC, rather than in local timezone.
@returns – representation of the given date.

C.Time.strptime()
(method) Time.strptime(str: string, format: string, utc?: boolean, strict?: boolean): Date
Extract time from a string using strptime specifier.
@param – str – string to parse to a timestamp (see strict flag).
@param - format – strptime specifier.
@param – utc – whether to interpret times as UTC, rather than as local time.
@param – strict – whether to return null if there are any extra characters after timestamp.
@returns – a parsed Date object, if successful; otherwise, null if the specifier did not match.

C.Time.timestampFinder()
(method) Time.timestampFinder(utc?: boolean).find(<source‑field>): AutoTimeParser
Extract time from the specified <source‑field>, using the same algorithm as the AutoΒ Timestamp Function and the Event Breaker Function.
@param – utc – whether to output the time in UTC, rather than in local timezone.
@param – <source‑field> – the field in which to search for the time.
@returns – representation of the extracted time.

C.vars – Global Variables

See Global Variables Library for more details.

C.version – Cribl LogStream Version

(property) version: string
Cribl LogStream Version.

Updated 11 days ago

Cribl Expressions


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.