These docs are for Cribl Stream 4.8 and are no longer actively maintained.
See the latest version (4.14).
Unroll
The Unroll Function accepts an array field – or an expression to evaluate an array field – and breaks/unrolls the array into individual events.
Usage
Filter: Filter expression (JS) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.
Description: Simple description of this Function. Defaults to empty.
Final: If toggled to Yes, stops feeding data to the downstream Functions. Defaults to No.
Source field expression: Field in which to find/calculate the array to unroll. E.g.: _raw, _raw.split(/\n/). Defaults to _raw.
Destination field: Field (within the destination event) in which to place the unrolled value. Defaults to _raw.
Example
Assume we want to break/unroll each line of this event:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.5  38000  5356 ?        Ss    2018   2:02 /lib/systemd/systemd --system --deserialize 28
root         2  0.0  0.0      0     0 ?        S     2018   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S     2018   1:51 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<    2018   0:00 [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        S     2018   3:55 [rcu_sched]
root         8  0.0  0.0      0     0 ?        S     2018   0:00 [rcu_bh]Settings
Source field expression: _raw.split(/\n/)
The
split()JavaScript method breaks_rawinto an ordered set of substrings/values, puts these values into an array, and returns the array.
Destination field: _raw
Event 1:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
Event 2:
root         1  0.0  0.5  38000  5356 ?        Ss    2018   2:02 /lib/systemd/systemd --system --deserialize 28
Event 3:
root         2  0.0  0.0      0     0 ?        S     2018   0:00 [kthreadd]
Event 4:
root         3  0.0  0.0      0     0 ?        S     2018   1:51 [ksoftirqd/0]
Event 5:
root         5  0.0  0.0      0     0 ?        S<    2018   0:00 [kworker/0:0H]
Event 6:
root         7  0.0  0.0      0     0 ?        S     2018   3:55 [rcu_sched]
Event 7:
root         8  0.0  0.0      0     0 ?        S     2018   0:00 [rcu_bh]