Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)

Changelog    Guides

Suppress

Description


The Suppress function suppresses events over a period of time based on a key expression evaluation.

Usage


Filter: Filter expression (JS) that selects data to be fed through the function. Defaults to empty - all events will be evaluated.

Description: Simple description about this function. Defaults to empty.

Final: If true, stops data from being fed to the downstream functions. Defaults to No.

Key Expression: Suppression key expression used to uniquely identify events to suppress. For example, `${ip}:${port}` will use fields ip and port from each event to generate the key.

Number to Allow: The number of events to allow per time period. Defaults to 1.

Suppression Period (seconds): The number of seconds to suppress events after 'Number to Allow' events are received. Defaults to 300.

Drop Suppressed Events: Specifies if suppressed events should be dropped or just tagged with suppress=1. Defaults to yes.

Advanced Settings


Maximum Cache Size : The maximum number of keys that can be cached before idle entries are removed. Leave at default unless you understand the implications of changing. Defaults to 50000

Suppression Period Timeout: The number of suppression periods 'Suppression Period' of inactivity before a cache entry is considered idle. Leave at default unless you understand the implications of changing. Defaults to 2.

Num Events to Trigger Cache Clean-Up: Check cache for idle sessions every N e**vents when cache size is > 'Maximum Cache Size'. Leave at default unless you understand the implications of changing. Defaults to 10000.

Examples


In the examples below, Filter is the function-level Filter expression:

  1. Suppress by the value of the host field:
    Filter: true
    Key Expression: host
    Number to Allow: 1
    Suppression Period (sec): 300

Result: One event per unique host value will be allowed in every 300s. Events without a host field will not be suppressed.

  1. Suppress by the value of the host and port tuple :
    Filter: true
    Key Expression: `${host}:${port}`
    Number to Allow: 1
    Suppression Period (sec): 300

Result: One event per unique host:port tuple value will be allowed in every 300s.

READ THIS!

Suppression will ALSO apply to events without a host or a port field. The reason is that `${field}` results in the literal undefined if field is not present.

To guarantee that suppression only applies to events with host and port check for their presence using Filter:

Filter: host!=undefined && port!=undefined
Key Expression: `${host}:${port}`
Number to Allow: 1
Suppression Period (sec): 300

  1. Decorate events that qualify for suppression
    Filter: true
    Key Expression: `${host}:${port}`
    Number to Allow: 1
    Suppression Period (sec): 300
    Drop Suppressed Events: No

Result: No events will be suppressed but all those that qualify will be added a field suppress=1 which can be used downstream to further transform them.

Suppress


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.