Skip to main content

Functions

You've now gone through basic expressions using comparison operators and logical operators. Often, though, it's not enough to just compare two values. Sometimes you want to be able to include more complex logic. For example, you might want to check if an IP address is an "external" address or a "private" address or check if a field starts with, ends with, or includes a certain string fragment. Luckily, since Stream supports full JavaScript expressions, you have all the power of JavaScript at your disposal.

For example, field values are by default JavaScript string objects, so you can use any of the methods of the String object type. Want to filter for only events which contain the field name, and in which the name field's value starts with the string fragment Web01? Simply use the String method startsWith(), like this: name.startsWith("WebO1")

Do you want to filter events based on an IP address field called src_ip, filtering out any "internal" events? The Cribl Expression library provides the C.Net.isPrivate() method to facilitate that – let's try it.

important
  1. If you've moved away from the Capture Sample Data modal, restore it:
    1. If you're not alreadly there, select Manage from Stream's top nav, then select Processing > Pipelines from the submenu.
    2. Click the Capture Data button in the right pane.
  2. Paste the expression C.Net.isPrivate(src_ip) into into the modal's Filter Expression field, then (as with the previous examples) click the Capture button, then click Start.

The results will show up in the panel in the Capture Sample Data modal's right pane.

The results you'll see should all have src_ip values that match the RFC1918 specification CIDR blocks:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

Of course, in filter expressions, you can use any method or function – as long as your filter expression evaluates as a boolean expression. So if the method you want to use returns a non-boolean answer, you'll need to handle it with a comparison operator.

For example, let's say you have a host naming scheme that has positional relevance (e.g., the first two characters are the country code where the host resides, and the third character denotes either "P" for production or other characters for other types of systems). You want to filter out any host that is not a production host.

You could use the String.charAt() method, and have an expression like this: host.charAt(2) === 'P'. This would match if the host field's 3rd character is a "P" (remember, 0 is the first character's index).

In this sandbox, we're only going to scratch the surface of the Functions available in Cribl Stream, so we recommend that you take a close look at the Cribl Expressions section of the Stream documentation.

Let's try some examples out...