These docs are for Cribl Stream 4.6 and are no longer actively maintained.
See the latest version (4.11).
Unroll
The Unroll Function accepts an array field – or an expression to evaluate an array field – and breaks/unrolls the array into individual events.
Usage
Filter: Filter expression (JS) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.
Description: Simple description of this Function. Defaults to empty.
Final: If toggled to Yes, stops feeding data to the downstream Functions. Defaults to No.
Source field expression: Field in which to find/calculate the array to unroll. E.g.: _raw, _raw.split(/\n/). Defaults to _raw.
Destination field: Field (within the destination event) in which to place the unrolled value. Defaults to _raw.
Example
Assume we want to break/unroll each line of this event:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.5 38000 5356 ? Ss 2018 2:02 /lib/systemd/systemd --system --deserialize 28
root 2 0.0 0.0 0 0 ? S 2018 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 2018 1:51 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 2018 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S 2018 3:55 [rcu_sched]
root 8 0.0 0.0 0 0 ? S 2018 0:00 [rcu_bh]Settings
Source field expression: _raw.split(/\n/)
The
split()JavaScript method breaks_rawinto an ordered set of substrings/values, puts these values into an array, and returns the array.
Destination field: _raw
Event 1:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
Event 2:
root 1 0.0 0.5 38000 5356 ? Ss 2018 2:02 /lib/systemd/systemd --system --deserialize 28
Event 3:
root 2 0.0 0.0 0 0 ? S 2018 0:00 [kthreadd]
Event 4:
root 3 0.0 0.0 0 0 ? S 2018 1:51 [ksoftirqd/0]
Event 5:
root 5 0.0 0.0 0 0 ? S< 2018 0:00 [kworker/0:0H]
Event 6:
root 7 0.0 0.0 0 0 ? S 2018 3:55 [rcu_sched]
Event 7:
root 8 0.0 0.0 0 0 ? S 2018 0:00 [rcu_bh]