ON THIS PAGE

Home / Stream/ Functions/Numerify

Numerify

The Numerify Function converts event fields that are numbers to type number.

Usage

Filter: Filter expression (JavaScript) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.

Description: Simple description about this Function. Defaults to empty.

Final: Toggle on to stop feeding data to the downstream Functions. Default is toggled off.

Depth: Controls how deep the function searches nested events. Higher values may slow performance. Defaults to 5. Maximum is 10.

Ignore fields: Specify fields to not numerify. Type in field names, separated by hard returns. Supports wildcards (*) and nested addressing. When empty (the default), Numerify applies to all fields. When populated, takes precedence over the Include expression. Also supports negated terms. For example, !foo* before * means “Ignore all fields, except for those that start with foo.” See Wildcard Lists.

Include expression: Optional JavaScript expression to specify fields to numerify. If empty (the default), the Function will attempt to numerify all fields – except those listed in Ignore fields, which takes precedence. Use the name and value global variables to access fields’ names/values. (Example: value !‍‍‍‌= null.) You can access other fields’ values via __e.<fieldName>.

Format: Optionally, reformat or truncate the extracted numeric value. Select one of:

  • None: Applies no reformatting (the default).
  • Floor: Rounds the number down to the lower adjacent integer (truncates it).
  • Ceil: Rounds the number up to the higher adjacent integer, removing decimal digits.
  • Round: Rounds (truncates) the number to a specified number of digits. This option exposes an extra field:
    • Digits: Number of digits after the decimal point. Enter a value between 020; defaults to 2.

Examples

Scenario A:

Assume an event whose text contains a numeric value that must be extracted to perform some numeric analysis. The text looks like this:

version=11.5.0.0.1.1588476445

We can extract the numeric value by chaining together two Functions:

  1. A Regex Extract Function. Set its Regex field to /version=(?<ver>\d+)/, to capture the first set of digits found in the event string.
  2. Then use Numerify.

This captures the substring 11 and converts it to a numeric 11 value.

Scenario B:

Assume email transaction log events like the sample below. The final field is the message’s size, in bytes. We want to extract this as a numeric value, for analysis in Cribl Stream or downstream services:

03:19 03:22 SMTPD (00180250) [209.221.59.70] C:\IMail\spool\D28de0018025017cd.SMD 3827

Again, we can accomplish this with two Functions:

  1. A Regex Extract Function. To capture a substring of digits that follows six other substrings (all separated by white space), we set the Regex field to: \S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(?<bytes>\d+)

  2. Then use Numerify.