Cribl Expressions
Native Cribl Stream methods can be found under C.*, and can be invoked from any Function that allows for expression evaluations. For example, to create a field that is the SHA1 of a another field’s value, you can use the Eval Function with this Evaluate Fields pair:
| Name | Value Expression |
|---|---|
| myNewField | C.Mask.sha1(myOtherField) |
Where fields’ names contain special characters, you can reference them using the
__e['<field‑name‑here>']convention. For details, see Fields with Non-Alphanumeric Characters.
Cribl expressions offer methods and properties in the following classes:
- C.Crypto - data encryption and decryption
- C.Encode and C.Decode - encoding and decoding data
- C.Lookup - running lookups
- C.Mask - masking sensitive data
- C.Net - network methods
- C.Text - text manipulation
- C.Time - time and date manipulation
- C.Schema - schema validation
- C.Secret - secret management
- C.env - environment properties
- C.os - system methods
- C.vars - global variables
- C.version - Cribl Stream versions
- C.Misc - various other methods