script

Set fields to computed values, perhaps conditionally

Available functions:

  • round(x) returns the nearest integer to a floating point number, like round(tmillis/1000). Useful for converting bytes to kB, milliseconds since epoch to seconds since epoch, etc.
  • sec_s() will return seconds since epoch, sec_ms() milliseconds since epoch.
  • cidr(addr, spec) will match an IPv4 network address against a CIDR specification like '10.0.0.0/24'.
  • ip2asn uses the Team Cymru services to match IP addresses to domain names.
  • cond(condition, value1, value2) is a useful function that will return value1 if condition is true, otherwise returns value2. E.g. status: cond(istat > 0,"ok","error").
  • hashes:
    • md5(txt)
    • sha1(txt)
    • sha256(txt)
    • sha512(txt)
  • uuid() returns a Unique Identifier each time
Field NameDescriptionTypeDefault
conditionDoes operations only when the calculation is trueexpression-
letAdd calculated values to the eventarray of (field,expression) pairs-
setAdd constants to the eventArray of (field,value) pairs-

condition

Does operations only when the calculation is true

Type: expression

Example

input:

{"num":1}

action:

script:
  condition: num == 1
  let:
  - is_one: "true"

output:

{"num":1,"is_one":true}

Example: Non-matching condition

input:

{"num":2}

action:

script:
  condition: num == 1
  let:
  - is_one: "true"

output:

{"num":2}

let

Add calculated values to the event

Type: array of (field,expression) pairs

Example

input:

{"one":1,"two":2}

action:

script:
  let:
  - one_plus_two: one + two

output:

{"one":1,"two":2,"one_plus_two":3}

Example: Array access (note 1-based index)

input:

{"one_two":[1,2]}

action:

script:
  let:
  - one: one_two[1]
  - two: one_two[2]

output:

{"one_two":[1,2],"one":1,"two":2}

Example: Subfield access

input:

{"data":{"one":1,"two":2}}

action:

script:
  let:
  - one: data.one
  - two: data.two

output:

{"data":{"one":1,"two":2},"one":1,"two":2}

set

Add constants to the event

Type: Array of (field,value) pairs

Example

input:

{"one":1,"two":2}

action:

script:
  set:
  - three: 3
  - four: four

output:

{"one":1,"two":2,"three":3,"four":"four"}