These docs are for Cribl Stream 4.12 and are no longer actively maintained.
See the latest version (4.14).
Regex Filtering
To filter events in real time (data in motion), we use the out-of-the-box Regex Filter Function. This is similar to nullqueueing with TRANSFORMS in Splunk, but the matching condition is way more flexible.
Regex Filtering Example
Let’s see how we can filter out any sourcetype=='access_combined' events whose _raw field contains the pattern Opera:
First, make sure you have a Route and Pipeline configured to match desired events.
Next, let’s add a Regex Filter Function to it:

Next, verify that this search does not return any results: sourcetype="access_combined" Opera
You can add more conditions to the Filter input field. For example, to further limit the filtering to only events from hosts with domain dnto.ca, change the filter input to sourcetype=='access_combined' && host.endsWith('dnto.ca').
This is a very flexible method for filtering incoming events in real time, on virtually any arbitrary conditions.