Skip to main content

Course Overview

This course is about using JavaScript expressions (mostly) in Cribl Stream, and assumes that you've already gone through the Cribl Stream Overview course. This sandbox has a Cribl Stream instance (which you see at the right) that's already set up with two types of generated data – events from a Linux /var/log/syslog file, and traffic from a Palo Alto Networks Firewall. Both are set up both as datagens (which we'll use with Stream's Capture capability), and as sample files (which we'll use with Pipeline Functions).

In this course, we're going to work in the Capture and Pipeline pages exclusively, to help you learn how powerful expressions in Cribl Stream are, and how you can apply them in your environment.

There are fundamentally two types of expressions in Stream:

  1. Filter Expressions – These are used to decide what events to act upon in a Route or Function.
  2. Value Expressions – These are used to create or modify data. They're generally used in Functions within a Pipeline – most notably, the Eval Function.

By the end of the course, you should have a solid understanding of how to create both filter and value expressions, and also understand where each is used. Additionally, we'll cover a little bit about Grok and Regex field extraction expressions.

Let's get started!