Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides


What are Functions

When events enter a pipeline they're processed by the series of functions therein. At its core, a function is code that executes on an event and it encapsulates the smallest amount of processing that can happen to that event. We using the term "processing" here to mean a variety of possible options; from string replacement, to obfuscation, encryption, event to metrics conversions etc. For example, a pipeline can be composed of several functions, one that replaces the term foo with bar, another one that hashes bar and a last one that adds a field, say, dc=jfk-42 to any event that matches source=='*us-nyc-application.log'.

How do they work

Functions are atomic pieces of JS code that are invoked on each event that passes thru them. To help improve performance, functions can be configured with additional filters to further scope their invocation on matching events only. You can add as many functions in a pipeline as necessary, though the more you have the longer it will take each event to pass thru. In addition, you can turn functions On/Off inline as necessary.

The Final Toggle

Similar to the Final toggle in routes, the Final toggle here controls the flow of events at the function level.
Off (default): means that matching events processed by this function will be passed down to the next function in the pipeline.
On: means that this function is the last one that the matching events will be applied to. All others coming down the pipeline will be skipped and the event will be delivered out.

Out of the Box Functions

Cribl ships with several functions out of the box and you can chain them together to meet your requirements. Expand the list of Functions on the left and the Use Cases section for more details.

Custom Functions

At the time of this custom functions are not yet supported.