Skip to main content

Filter Expressions

Filter expressions are used in multiple places in Cribl Stream:

  • The Capture modal – to filter the data you're capturing.
  • The Routing table – to filter data to the appropriate Routes.
  • Functions within a Pipeline – to ensure that each Function works only on the data it's intended to.
  • The Monitoring > Logs page – to search Stream's internal logs for patterns of interest.

A Filter Expression is simply an expression that evaluates to either "truthy" (meaning, resulting in any value other than false, 0, 0n, "", null, undefined or NaN), or "falsy" (if its results match any of the aforementioned values).

Comparison Expressions

Filter expressions can be simple, using just the JavaScript comparison operators:

  • == – equal value
  • === – equal value AND equal type
  • != – not equal
  • !== – not equal value or type
  • > – greater than
  • < – less than
  • >= – greater than or equal to
  • <= – less than or equal to

Comparison by Type versus Value

A note about the "type safe" comparators (=== & !==) – these are generally preferred in JavaScript, as they make an explicit type comparison. If you use them, be aware of the difference between them and the corresponding type-agnostic comparators. For example, 5 === "5" will return false because it's checking both type and value, while 5 == "5" will evaluate true since it's just checking value.

Compound Expressions with Logical Operators

You can also create much more complex filter expressions by combining statements, using JavaScript's logical operators:

  • ! – not
  • && – and
  • || – or

Order of Precedence

By default, JavaScript evaluates these operators from left to right, in the order of precedence shown above: "not" before "and" before "or." (You can override this order by using parentheses to group evaluation statements.)

In the next section, you're going to get a chance to try a number of expressions...