Skip to main content
Version: 3.3.1

script

Set fields to computed values, perhaps conditionally

Available functions:

  • round(x) returns the nearest integer to a floating point number, like round(tmillis/1000). Useful for converting bytes to kB, milliseconds since epoch to seconds since epoch, etc.
  • sec_s() will return seconds since epoch, sec_ms() milliseconds since epoch.
  • cidr(addr, spec) will match an IPv4 network address against a CIDR specification like '10.0.0.0/24'.
  • ip2asn uses the Team Cymru services to match IP addresses to domain names.
  • cond(condition, value1, value2) is a useful function that will return value1 if condition is true, otherwise returns value2. E.g. status: cond(istat > 0,"ok","error").
  • hashes:
    • md5(txt)
    • sha1(txt)
    • sha256(txt)
    • sha512(txt)
  • uuid() returns a Unique Identifier each time

See the full discussion

Field NameDescriptionTypeDefault
conditionDoes operations only when the calculation is trueexpression-
overwriteOverwrite a field if it already existsboolfalse
letAdd calculated values to the eventarray of (field,expression) pairs-
setAdd constants to the eventarray of (field,value) pairs-
loadLoad a file containing Lua functions into the current contextpath-
runRun the specified function on each actionstring-

condition

Does operations only when the calculation is true

Type: expression

Example

input:

{"num":1}

action:

script:
condition: num == 1
let:
- is_one: "true"

output:

{"num":1,"is_one":true}

Example: Non-matching condition

input:

{"num":2}

action:

script:
condition: num == 1
let:
- is_one: "true"

output:

{"num":2}

overwrite

Overwrite a field if it already exists

Type: bool

let

Add calculated values to the event

Type: array of (field,expression) pairs

Example

input:

{"one":1,"two":2}

action:

script:
let:
- one_plus_two: one + two

output:

{"one":1,"two":2,"one_plus_two":3}

Example: Array access (note 1-based index)

input:

{"one_two":[1,2]}

action:

script:
let:
- one: one_two[1]
- two: one_two[2]

output:

{"one_two":[1,2],"one":1,"two":2}

Example: Subfield access

input:

{"data":{"one":1,"two":2}}

action:

script:
let:
- one: data.one
- two: data.two

output:

{"data":{"one":1,"two":2},"one":1,"two":2}

set

Add constants to the event

Type: array of (field,value) pairs

Example

input:

{"one":1,"two":2}

action:

script:
set:
- three: 3
- four: four

output:

{"one":1,"two":2,"three":3,"four":"four"}

load

Load a file containing Lua functions into the current context

Type: path

run

Run the specified function on each action

Type: string