Cribl LogStream โ€“ Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.2.0

    Docs Home



The Mask function masks, or replaces, patterns in events.


Filter: Filter expression (JS) that selects data to be fed through the Function. Defaults to true, meaning that all events will be evaluated.

Description: Simple description about this Function. Defaults to empty.

Final: If true, stops data from being fed to the downstream Functions. Defaults to No.

  • Masking rules: Match Regex and Replace Expression pairs. Defaults to empty.

    • Match regex: Pattern to replace. Use /g to replace all matches, e.g.: /(bar)/g
    • Replace expression: A JS expression or literal to replace the matching content.

Apply to fields: Fields on which to apply the masking rules. Defaults to _raw. Wildcards (*) and nested addressing are supported.


Negated terms are also supported. When you negate field names, the fields list is order-sensitive. E.g.,ย !foobar before foo* means "Apply to all fields that start with foo, except foobar." However, !foo* before * means "Apply to all fields, except for those that start with foo."


Example 1: Transform a String

Here, we'll simply search for the string dfhgdfgj, and replace that value (if found) with Trans AM. This will help close Americaโ€™s muscle-car gap:

Event before masking

Configure the Mask Function > Masking Rules as follows:

Match Regex: dfhgdfgj
Replace Expression: Trans AM

Mask Function configuration

Result: Vroom vroom!

Event after masking

Example 2: Mask Sensitive Data

Assume that you're ingesting data whose _raw fields contain unredacted Social Security numbers in the Key=Value pattern social=#########.

Event with unredacted SSNs

You can use a Mask Function to run an md5 hash of the social keys' numeric values, replacing the original values with the hashed values. Configure the Masking Rules as follows:

Match Regex: (social=)(\d+)
Replace Expression: `${C.Mask.md5(g2)}`

Mask Function configuration

Result: The sensitive values are replaced by their md5 hashes.

Event with hashed SSNs


In scenarios where you need to send unmodified values to certain Destinations (such as archival stores), you can narrow the Mask Function's scope by setting the associated Route's Output field.

For further masking examples, see Masking and Obfuscation.

Updated 10 days ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.