Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up here)
Download entire manual as PDF – v.3.1.1


What Are Functions

When events enter a Pipeline, they're processed by a series of Functions. At its core, a Function is code that executes on an event, and it encapsulates the smallest amount of processing that can happen to that event.

The term "processing" means a variety of possible options: string replacement, obfuscation, encryption, event-to-metrics conversions, etc. For example, a Pipeline can be composed of several Functions – one that replaces the term foo with bar, another one that hashes bar, and a final one that adds a field (say, dc=jfk-42) to any event that matches source=='us-nyc-application.log'.

How Do They Work

Functions are atomic pieces of JavaScript code that are invoked on each event that passes through them. To help improve performance, Functions can be configured with filters to further scope their invocation to matching events only.

You can add as many Functions in a Pipeline as necessary, though the more you have, the longer it will take each event to pass through. Also, you can turn Functions On/Off within a Pipeline as necessary. This enables you to preserve structure as you optimize or debug.

Functions stack in a PipelineFunctions stack in a Pipeline

Functions stack in a Pipeline

You can reposition Functions up or down the Pipeline stack to adjust their execution order. Use a Function's left grab handle to drag and drop it into place.

The Final Toggle

Similar to the Final toggle in Routes, the Final toggle here controls the flow of events at the Function level. Its states are:

  • No (default): means that matching events processed by this Function will be passed down to the next Function.

  • Yes: means that this Function is the last one that will be applied to matching events. All Functions further down the Pipeline will be skipped. A Function with Final set to Yes will display an F indicator in the Pipeline stack.

Functions and Shared-Nothing Architecture

LogStream is built on a shared-nothing architecture, where each Node and its Worker Processes operate separately, and process events independently of each other. This means that all Functions operate strictly in a Worker Process context – state is not shared across processes.

This is particularly important to understand for certain Functions that might imply state-sharing, such as Aggregations, Sampling, Dynamic Sampling, Suppress, etc.

Out-of-the-Box Functions

Cribl LogStream ships with several Functions out-of-the-box, and you can chain them together to meet your requirements. For more details, see individual Functions, and the Use Cases section, within this documentation.

Custom Functions

For an overview of adding custom Functions to Cribl LogStream, see our blog post, Extending Cribl: Building Custom Functions.

What Functions to Use When

Function Groups

A Function group is a collection of consecutive Functions that can be moved up and down a Pipeline's Functions stack together. Groups help you manage long stacks of Functions by streamlining their display. They are a UI visualization only: While Functions are in a group, those Functions maintain their global position order in the Pipeline.


Function groups work much like Route groups.

To build a group from any Function, click the Function's ••• (Options) menu, then select Group Actions > Create Group.

Creating a group

You'll need to enter a Group Name before you can save or resave the Pipeline. Optionally, enter a Description.

Naming a groupNaming a group

Naming a group

Once you've saved at least one group to a Pipeline, other Functions' ••• (Options) > Group Actions submenus will add options to Move to Group or Ungroup/Ungroup All.

Expanded Group Actions submenu

You can also use a Function's left grab handle to drag and drop it into, or out of, a group. A saved group that's empty displays a dashed target into which you can drag and drop Functions.

Drag-and-drop targetDrag-and-drop target

Drag-and-drop target

Updated 6 days ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.