Skip to main content

The Serialize Function

Description

The Serialize Function is designed to transform an event's content into a predefined format.

Steps - Adding a Serialize Function

important
  1. Select the Add Function button at the top right.
  2. In the search bar, type serialize, and select the Serialize Function. It will be added at the bottom of the Pipeline.
  3. Change the new Function's Type to Key=Value Pairs.
  4. Click into Fields to serialize and delete/backspace to clear the fields.
  5. To serialize fields back into a clean _raw field, copy/Paste the fields below into Fields to serialize:
    !_*,!cribl_breaker,!cribl_pipe,!index,!source,!sourcetype,*
  6. Select Save.

Your Serialize Function should now look something like this:
Serialize1

In Fields to serialize, notice that the fields prefixed with an exclamation point (!) are excluded from serialization. The final * will write the remaining fields to the chosen _raw Destination field. You should always exclude before you include, to ensure you get the desired result in the specified Destination field.

Wildcard Lists

Wildcard Lists are used throughout Stream, especially in various Functions, such as Eval, Mask, Publish Metrics, Parser, etc.

Wildcard Lists, as their name implies, accept strings with asterisks (*) to represent one or more terms. They also accept strings that start with an exclamation mark (!) to negate one or more terms.

Wildcard Lists are order-sensitive only when you include negated terms. This allows for implementing any combination of allowlists and blocklists.

For example:

Wildcard ListValueMeaning
List 1!foobar, foo*All terms that start with foo, except foobar.
List 2!foo*, * All terms, except for those that start with foo.

Results

The results on the right show that _raw is now rewritten as Key=Value Pairs.

Flatten2

note

Try changing the Type to JSON Object and clicking Save see the transformation from Key=Value Pairs to JSON!

Change the Type back to Key=Value Pairs and click Save again before you proceed

Finally, let's add one final Eval Functionto the Pipeline for some final cleanup.