Numerify
The Numerify Function converts event fields that are numbers to type number.
Usage
Filter: Filter expression (JS) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.
Description: Simple description about this Function. Defaults to empty.
Final: If toggled to Yes, stops feeding data to the downstream Functions. Defaults to No.
Ignore fields: Specify fields to not numerify. Type in field names, separated by hard returns. Supports wildcards (*) and nested addressing. When empty (the default), Numerify applies to all fields. When populated, takes precedence over the Include expression.
Double Negatives
Ignore fields also supports negated terms. When you negate field names, the fields list is order-sensitive. E.g.,
!foobarbeforefoo*means “Ignore all fields that start withfoo, exceptfoobar.” However,!foo*before*means “Ignore all fields, except for those that start withfoo.”
Include expression: Optional JavaScript expression to specify fields to numerify. If empty (the default), the Function will attempt to numerify all fields – except those listed in Ignore fields, which takes precedence. Use the name and value global variables to access fields’ names/values. (Example: value != null.) You can access other fields’ values via __e.<fieldName>.
Format: Optionally, reformat or truncate the extracted numeric value. Select one of:
- None: Applies no reformatting (the default).
- Floor: Rounds the number down to the lower adjacent integer (truncates it).
- Ceil: Rounds the number up to the higher adjacent integer, removing decimal digits.
- Round: Rounds (truncates) the number to a specified number of digits. This option exposes an extra field:
- Digits: Number of digits after the decimal point. Enter a value between
0–20; defaults to2.
- Digits: Number of digits after the decimal point. Enter a value between
Examples
Scenario A:
Assume an event whose text contains a numeric value that must be extracted to perform some numeric analysis. The text looks like this:
version=11.5.0.0.1.1588476445
We can extract the numeric value by chaining together two Functions:
- A Regex Extract Function. Set its Regex field to
/version=(?<ver>\d+)/, to capture the first set of digits found in the event string. - Then use Numerify.
This captures the substring 11 and converts it to a numeric 11 value.
Scenario B:
Assume email transaction log events like the sample below. The final field is the message’s size, in bytes. We want to extract this as a numeric value, for analysis in Cribl Stream or downstream services:
03:19 03:22 SMTPD (00180250) [209.221.59.70] C:\IMail\spool\D28de0018025017cd.SMD 3827
Again, we can accomplish this with two Functions:
A Regex Extract Function. To capture a substring of digits that follows six other substrings (all separated by white space), we set the Regex field to:
\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(?<bytes>\d+)Then use Numerify.