script
Set fields to computed values, perhaps conditionally
Available functions:
round(x)returns the nearest integer to a floating point number, likeround(tmillis/1000). Useful for converting bytes to kB, milliseconds since epoch to seconds since epoch, etc.sec_s()will return seconds since epoch,sec_ms()milliseconds since epoch.cidr(addr, spec)will match an IPv4 network address against a CIDR specification like '10.0.0.0/24'.ip2asnuses the Team Cymru services to match IP addresses to domain names.cond(condition, value1, value2)is a useful function that will returnvalue1if condition is true, otherwise returnsvalue2. E.g. status:cond(istat > 0,"ok","error").- hashes:
md5(txt)sha1(txt)sha256(txt)sha512(txt)
uuid()returns a Unique Identifier each time
See the full discussion
| Field Name | Description | Type | Default |
|---|---|---|---|
| condition | Does operations only when the calculation is true | expression | - |
| overwrite | Overwrite a field if it already exists | bool | false |
| let | Add calculated values to the event | array of (field,expression) pairs | - |
| set | Add constants to the event | array of (field,value) pairs | - |
| load | Load a file containing Lua functions into the current context | path | - |
| run | Run the specified function on each action | string | - |
condition
Does operations only when the calculation is true
Type: expression
Example
input:
{"num":1}
action:
script:
condition: num == 1
let:
- is_one: "true"
output:
{"num":1,"is_one":true}
Example: Non-matching condition
input:
{"num":2}
action:
script:
condition: num == 1
let:
- is_one: "true"
output:
{"num":2}
overwrite
Overwrite a field if it already exists
Type: bool
let
Add calculated values to the event
Type: array of (field,expression) pairs
Example
input:
{"one":1,"two":2}
action:
script:
let:
- one_plus_two: one + two
output:
{"one":1,"two":2,"one_plus_two":3}
Example: Array access (note 1-based index)
input:
{"one_two":[1,2]}
action:
script:
let:
- one: one_two[1]
- two: one_two[2]
output:
{"one_two":[1,2],"one":1,"two":2}
Example: Subfield access
input:
{"data":{"one":1,"two":2}}
action:
script:
let:
- one: data.one
- two: data.two
output:
{"data":{"one":1,"two":2},"one":1,"two":2}
set
Add constants to the event
Type: array of (field,value) pairs
Example
input:
{"one":1,"two":2}
action:
script:
set:
- three: 3
- four: four
output:
{"one":1,"two":2,"three":3,"four":"four"}
load
Load a file containing Lua functions into the current context
Type: path
run
Run the specified function on each action
Type: string