VRL function reference
Here you’ll find a comprehensive list of all built-in VRL functions. Functions are categorized by their purpose and sorted alphabetically for easy discovery. To use these functions in Vector, see the documentation on function call expressions and Vector’s remap transform.
Array functions
append
infallible pureAppends each item in the
items array to the end of the value array.chunks
fallible pureChunks
value into slices of length chunk_size bytes.Function spec
chunks(value:
<array | string>
, chunk_size:
<integer>
)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array string | The array of bytes to split. | yes | |
| chunk_size | integer | The desired length of each chunk in bytes. This may be constrained by the host platform architecture. | yes |
Errors
Thechunks function is fallible, which means that
error handling is required for these errors:chunk_size must be at least 1 byte.chunk_size is too large.push
infallible pureAdds the
item to the end of the value array.Codec functions
decode_base16
fallible pureDecodes the
value (a Base16 string) into its original string.Function spec
decode_base16(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Base16 data to decode. | yes |
Errors
Thedecode_base16 function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Base16 string.decode_base64
fallible pureDecodes the
value (a Base64 string) into its original string.Function spec
decode_base64(value:
<string>
,
[charset:
<string>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Base64 data to decode. | yes | |
| charset | string | The character set to use when decoding the data. | standard | no |
Errors
Thedecode_base64 function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Base64 string.decode_gzip
fallible pureDecodes the
value (a Gzip string) into its original string.Function spec
decode_gzip(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Gzip data to decode. | yes |
Errors
Thedecode_gzip function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Gzip string.decode_mime_q
fallible pureReplaces q-encoded or base64-encoded encoded-word substrings in the
value with their original string.Function spec
decode_mime_q(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string with encoded-words to decode. | yes |
Errors
Thedecode_mime_q function is fallible, which means that
error handling is required for these errors:value has invalid encoded encoded-word string.decode_percent
infallible pureDecodes a percent-encoded
value like a URL.decode_punycode
fallible pureFunction spec
decode_punycode(value:
<string>
,
[validate:
<boolean>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to decode. | yes | |
| validate | boolean | If enabled, checks if the input string is a valid domain name. | true | no |
Errors
Thedecode_punycode function is fallible, which means that
error handling is required for these errors:value is not valid punycodedecode_snappy
fallible pureDecodes the
value (a Snappy string) into its original string.Function spec
decode_snappy(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Snappy data to decode. | yes |
Errors
Thedecode_snappy function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Snappy string.decode_zlib
fallible pureDecodes the
value (a Zlib string) into its original string.Function spec
decode_zlib(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Zlib data to decode. | yes |
Errors
Thedecode_zlib function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Zlib string.decode_zstd
fallible pureDecodes the
value (a Zstandard string) into its original string.Function spec
decode_zstd(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Zstandard data to decode. | yes |
Errors
Thedecode_zstd function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Zstd string.encode_base16
infallible pureEncodes the
value to Base16.encode_base64
infallible pureEncodes the
value to Base64.Function spec
encode_base64(value:
<string>
,
[padding:
<boolean>
, charset:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to encode. | yes | |
| padding | boolean | Whether the Base64 output is padded. | true | no |
| charset | string | The character set to use when encoding the data. | standard | no |
encode_gzip
infallible pureEncodes the
value to Gzip.encode_json
infallible pureEncodes the
value to JSON.encode_key_value
fallible pureEncodes the
value into key-value format with customizable delimiters. Default delimiters match
the logfmt format.Function spec
encode_key_value(value:
<object>
,
[fields_ordering:
<array>
, key_value_delimiter:
<string>
, field_delimiter:
<string>
, flatten_boolean:
<boolean>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object | The value to convert to a string. | yes | |
| fields_ordering | array | The ordering of fields to preserve. Any fields not in this list are listed unordered, after all ordered fields. | no | |
| key_value_delimiter | string | The string that separates the key from the value. | = | no |
| field_delimiter | string | The string that separates each key-value pair. | | no |
| flatten_boolean | boolean | Whether to encode key-value with a boolean value as a standalone key if true and nothing if false. | no |
Notices
This function has special behavior that you should be aware of.If
fields_ordering is specified then the function is fallible else it is infallible.Errors
Theencode_key_value function is fallible, which means that
error handling is required for these errors:fields_ordering contains a non-string element.Examples
Encode with default delimiters (no ordering)
Source
encode_key_value({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info"})Return
lvl=info msg="This is a message" ts=2021-06-05T17:20:00ZEncode with default delimiters (fields ordering)
Source
encode_key_value!({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info", "log_id": 12345}, ["ts", "lvl", "msg"])Return
ts=2021-06-05T17:20:00Z lvl=info msg="This is a message" log_id=12345Encode with default delimiters (nested fields)
Source
encode_key_value({"agent": {"name": "foo"}, "log": {"file": {"path": "my.log"}}, "event": "log"})Return
agent.name=foo event=log log.file.path=my.logEncode with default delimiters (nested fields ordering)
Source
encode_key_value!({"agent": {"name": "foo"}, "log": {"file": {"path": "my.log"}}, "event": "log"}, ["event", "log.file.path", "agent.name"])Return
event=log log.file.path=my.log agent.name=fooEncode with custom delimiters (no ordering)
Source
encode_key_value(
{"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info"},
field_delimiter: ",",
key_value_delimiter: ":"
)Return
lvl:info,msg:"This is a message",ts:2021-06-05T17:20:00ZEncode with custom delimiters and flatten boolean
Source
encode_key_value(
{"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info", "beta": true, "dropped": false},
field_delimiter: ",",
key_value_delimiter: ":",
flatten_boolean: true
)Return
beta,lvl:info,msg:"This is a message",ts:2021-06-05T17:20:00Zencode_logfmt
fallible pureEncodes the
value to logfmt.Function spec
encode_logfmt(value:
<object>
,
[fields_ordering:
<array>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object | The value to convert to a logfmt string. | yes | |
| fields_ordering | array | The ordering of fields to preserve. Any fields not in this list are listed unordered, after all ordered fields. | no |
Notices
This function has special behavior that you should be aware of.If
fields_ordering is specified then the function is fallible else it is infallible.Errors
Theencode_logfmt function is fallible, which means that
error handling is required for these errors:fields_ordering contains a non-string element.Examples
Encode to logfmt (no ordering)
Source
encode_logfmt({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info"})Return
lvl=info msg="This is a message" ts=2021-06-05T17:20:00ZEncode to logfmt (fields ordering)
Source
encode_logfmt!({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info", "log_id": 12345}, ["ts", "lvl", "msg"])Return
ts=2021-06-05T17:20:00Z lvl=info msg="This is a message" log_id=12345encode_percent
infallible pureEncodes a
value with percent encoding to safely be used in URLs.encode_proto
fallible pureEncodes the
value into a protocol buffer payload.Function spec
encode_proto(value:
<object>
, desc_file:
<string>
, message_type:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object | The object to convert to a protocol buffer payload. | yes | |
| desc_file | string | The path to the protobuf descriptor set file. Must be a literal string. This file is the output of protoc -o | yes | |
| message_type | string | The name of the message type to use for serializing. Must be a literal string. | yes |
Errors
Theencode_proto function is fallible, which means that
error handling is required for these errors:desc_file file does not exist.message_type message type does not exist in the descriptor file.encode_punycode
fallible pureFunction spec
encode_punycode(value:
<string>
,
[validate:
<boolean>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to encode. | yes | |
| validate | boolean | Whether to validate the input string to check if it is a valid domain name. | true | no |
Errors
Theencode_punycode function is fallible, which means that
error handling is required for these errors:value can not be encoded to punycodeencode_snappy
fallible pureEncodes the
value to Snappy.Function spec
encode_snappy(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to encode. | yes |
Errors
Theencode_snappy function is fallible, which means that
error handling is required for these errors:value cannot be encoded into a Snappy string.encode_zlib
infallible pureEncodes the
value to Zlib.encode_zstd
infallible pureEncodes the
value to Zstandard.Coerce functions
to_bool
fallible pureCoerces the
value into a boolean.Function spec
to_bool(value:
<boolean | integer | float | null | string>
)
:: <boolean>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | boolean integer float null string | The value to convert to a Boolean. | yes |
Errors
Theto_bool function is fallible, which means that
error handling is required for these errors:value is not a supported boolean representation.to_float
fallible pureCoerces the
value into a float.Function spec
to_float(value:
<integer | float | boolean | string | timestamp>
)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float boolean string timestamp | The value to convert to a float. Must be convertible to a float, otherwise an error is raised. | yes |
Errors
Theto_float function is fallible, which means that
error handling is required for these errors:value is not a supported float representation.to_int
fallible pureCoerces the
value into an integer.Function spec
to_int(value:
<integer | float | boolean | string | timestamp | null>
)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float boolean string timestamp null | The value to convert to an integer. | yes |
Errors
Theto_int function is fallible, which means that
error handling is required for these errors:value is a string but the text is not an integer.value is not a string, int, or timestamp.to_regex
fallible pureCoerces the
value into a regex.Function spec
to_regex(value:
<string>
)
:: <regex>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The value to convert to a regex. | yes |
Notices
This function has special behavior that you should be aware of.Compiling a regular expression is an expensive operation and can limit Vector throughput. Don’t use this function unless you are absolutely sure there is no other way!
Errors
Theto_regex function is fallible, which means that
error handling is required for these errors:value is not a string.to_string
fallible pureCoerces the
value into a string.Function spec
to_string(value:
<integer | float | boolean | string | timestamp | null>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float boolean string timestamp null | The value to convert to a string. | yes |
Errors
Theto_string function is fallible, which means that
error handling is required for these errors:value is not an integer, float, boolean, string, timestamp, or null.Convert functions
from_unix_timestamp
infallible pureConverts the value integer from a Unix timestamp to a VRL timestamp.
Converts from the number of seconds since the Unix epoch by default. To convert from milliseconds or nanoseconds, set the unit argument to milliseconds or nanoseconds.
Function spec
from_unix_timestamp(value:
<integer>
,
[unit:
<string>
])
:: <timestamp>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The Unix timestamp to convert. | yes | |
| unit | string | The time unit. | seconds | no |
to_syslog_facility
fallible pureConverts the
value, a Syslog facility code, into its corresponding
Syslog keyword. For example, 0 into "kern", 1 into "user", etc.Function spec
to_syslog_facility(value:
<integer>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The facility code. | yes |
Errors
Theto_syslog_facility function is fallible, which means that
error handling is required for these errors:value is not a valid Syslog facility code.to_syslog_level
fallible pureConverts the
value, a Syslog severity level, into its corresponding keyword,
i.e. 0 into "emerg", 1 into "alert", etc.Function spec
to_syslog_level(value:
<integer>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The severity level. | yes |
Errors
Theto_syslog_level function is fallible, which means that
error handling is required for these errors:value isn’t a valid Syslog severity level.to_syslog_severity
fallible pureFunction spec
to_syslog_severity(value:
<string>
)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Syslog level keyword to convert. | yes |
Errors
Theto_syslog_severity function is fallible, which means that
error handling is required for these errors:value is not a valid Syslog level keyword.to_unix_timestamp
infallible pureConverts the value timestamp into a Unix timestamp.
Returns the number of seconds since the Unix epoch by default. To return the number in milliseconds or nanoseconds, set the unit argument to milliseconds or nanoseconds.
Function spec
to_unix_timestamp(value:
<timestamp>
,
[unit:
<string>
])
:: <integer>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | timestamp | The timestamp to convert into a Unix timestamp. | yes | |
| unit | string | The time unit. | seconds | no |
Debug functions
assert
fallible impureAsserts the
condition, which must be a Boolean expression. The program is aborted with
message if the condition evaluates to false.Function spec
assert(condition:
<boolean>
,
[message:
<string>
])
:: <null>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| condition | boolean | The condition to check. | yes | |
| message | string | An optional custom error message. If the equality assertion fails, message is
appended to the default message prefix. See the examples below
for a fully formed log message sample. | no |
Notices
This function has special behavior that you should be aware of.The
assert function should be used in a standalone fashion and only when you want to abort the program. You
should avoid it in logical expressions and other situations in which you want the program to continue if the
condition evaluates to false.Errors
Theassert function is fallible, which means that
error handling is required for these errors:condition evaluates to false.assert_eq
infallible impureAsserts that two expressions,
left and right, have the same value. The program is
aborted with message if they do not have the same value.Function spec
assert_eq(left:
<any>
, right:
<any>
,
[message:
<string>
])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| left | any | The value to check for equality against right. | yes | |
| right | any | The value to check for equality against left. | yes | |
| message | string | An optional custom error message. If the equality assertion fails, message is
appended to the default message prefix. See the examples
below for a fully formed log message sample. | no |
Notices
This function has special behavior that you should be aware of.The
assert_eq function should be used in a standalone fashion and only when you want to
abort the program. You should avoid it in logical expressions and other situations in which
you want the program to continue if the condition evaluates to false.log
infallible impureFunction spec
log(value:
<any>
,
[level:
<string>
, rate_limit_secs:
<integer>
])
:: <null>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to log. | yes | |
| level | string | The log level. | info | no |
| rate_limit_secs | integer | Specifies that the log message is output no more than once per the given number of seconds.
Use a value of 0 to turn rate limiting off. | 1 | no |
Enrichment functions
find_enrichment_table_records
infallible pureSearches an enrichment table for rows that match the provided condition.
For file enrichment tables, this condition needs to be a VRL object in which
the key-value pairs indicate a field to search mapped to a value to search in that field.
This function returns the rows that match the provided condition(s). All fields need to
match for rows to be returned; if any fields do not match, then no rows are returned.
There are currently two forms of search criteria:
Exact match search. The given field must match the value exactly. Case sensitivity can be specified using the
case_sensitiveargument. An exact match search can use an index directly into the dataset, which should make this search fairly “cheap” from a performance perspective.Date range search. The given field must be greater than or equal to the
fromdate and less than or equal to thetodate. A date range search involves sequentially scanning through the rows that have been located using any exact match criteria. This can be an expensive operation if there are many rows returned by any exact match criteria. Therefore, use date ranges as the only criteria when the enrichment data set is very small.
For geoip and mmdb enrichment tables, this condition needs to be a VRL object with a single key-value pair
whose value needs to be a valid IP address. Example: {"ip": .ip }. If a return field is expected
and without a value, null is used. This table can return the following fields:
ISP databases:
autonomous_system_numberautonomous_system_organizationisporganization
City databases:
city_namecontinent_codecountry_codecountry_nameregion_coderegion_namemetro_codelatitudelongitudepostal_codetimezone
Connection-Type databases:
connection_type
To use this function, you need to update your configuration to
include an
enrichment_tables
parameter.
Function spec
find_enrichment_table_records(table:
<string>
, condition:
<object>
,
[select:
<array>
, case_sensitive:
<boolean>
])
:: <array>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| table | string | The enrichment table to search. | yes | |
| condition | object | The condition to search on. Since the condition is used at boot time to create indices into the data, these conditions must be statically defined. | yes | |
| select | array | A subset of fields from the enrichment table to return. If not specified, all fields are returned. | no | |
| case_sensitive | boolean | Whether text fields need to match cases exactly. | true | no |
get_enrichment_table_record
fallible pureSearches an enrichment table for a row that matches the provided condition. A single row must be matched. If no rows are found or more than one row is found, an error is returned.
For file enrichment tables, this condition needs to be a VRL object in which
the key-value pairs indicate a field to search mapped to a value to search in that field.
This function returns the rows that match the provided condition(s). All fields need to
match for rows to be returned; if any fields do not match, then no rows are returned.
There are currently two forms of search criteria:
Exact match search. The given field must match the value exactly. Case sensitivity can be specified using the
case_sensitiveargument. An exact match search can use an index directly into the dataset, which should make this search fairly “cheap” from a performance perspective.Date range search. The given field must be greater than or equal to the
fromdate and less than or equal to thetodate. A date range search involves sequentially scanning through the rows that have been located using any exact match criteria. This can be an expensive operation if there are many rows returned by any exact match criteria. Therefore, use date ranges as the only criteria when the enrichment data set is very small.
For geoip and mmdb enrichment tables, this condition needs to be a VRL object with a single key-value pair
whose value needs to be a valid IP address. Example: {"ip": .ip }. If a return field is expected
and without a value, null is used. This table can return the following fields:
ISP databases:
autonomous_system_numberautonomous_system_organizationisporganization
City databases:
city_namecontinent_codecountry_codecountry_nameregion_coderegion_namemetro_codelatitudelongitudepostal_codetimezone
Connection-Type databases:
connection_type
To use this function, you need to update your configuration to
include an
enrichment_tables
parameter.
Function spec
get_enrichment_table_record(table:
<string>
, condition:
<object>
,
[select:
<array>
, case_sensitive:
<boolean>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| table | string | The enrichment table to search. | yes | |
| condition | object | The condition to search on. Since the condition is used at boot time to create indices into the data, these conditions must be statically defined. | yes | |
| select | array | A subset of fields from the enrichment table to return. If not specified, all fields are returned. | no | |
| case_sensitive | boolean | Whether the text fields match the case exactly. | true | no |
Errors
Theget_enrichment_table_record function is fallible, which means that
error handling is required for these errors:The row is not found.
Multiple rows are found that match the condition.
Enumerate functions
compact
infallible pureCompacts the
value by removing empty values, where empty values are defined using the
available parameters.Function spec
compact(value:
<array | object>
,
[recursive:
<boolean>
, null:
<boolean>
, string:
<boolean>
, object:
<boolean>
, array:
<boolean>
, nullish:
<boolean>
])
:: <array | object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array object | The object or array to compact. | yes | |
| recursive | boolean | Whether the compaction be recursive. | true | no |
| null | boolean | Whether null should be treated as an empty value. | true | no |
| string | boolean | Whether an empty string should be treated as an empty value. | true | no |
| object | boolean | Whether an empty object should be treated as an empty value. | true | no |
| array | boolean | Whether an empty array should be treated as an empty value. | true | no |
| nullish | boolean | Tests whether the value is “nullish” as defined by the is_nullish function. | no |
filter
infallible pureFilter elements from a collection.
This function currently does not support recursive iteration.
The function uses the function closure syntax to allow reading the key-value or index-value combination for each item in the collection.
The same scoping rules apply to closure blocks as they do for regular blocks. This means that any variable defined in parent scopes is accessible, and mutations to those variables are preserved, but any new variables instantiated in the closure block are unavailable outside of the block.
See the examples below to learn about the closure syntax.
flatten
infallible pureFlattens the
value into a single-level representation.for_each
infallible pureIterate over a collection.
This function currently does not support recursive iteration.
The function uses the “function closure syntax” to allow reading the key/value or index/value combination for each item in the collection.
The same scoping rules apply to closure blocks as they do for regular blocks. This means that any variable defined in parent scopes is accessible, and mutations to those variables are preserved, but any new variables instantiated in the closure block are unavailable outside of the block.
See the examples below to learn about the closure syntax.
Function spec
for_each(value:
<array | object>
)
:: <null>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array object | The array or object to iterate. | yes |
Examples
Tally elements
Source
tally = {}
for_each(array!(.tags)) -> |_index, value| {
# Get the current tally for the `value`, or
# set to `0`.
count = int(get!(tally, [value])) ?? 0
# Increment the tally for the value by `1`.
tally = set!(tally, [value], count + 1)
}
tallyReturn
{
"bar": 1,
"baz": 1,
"foo": 2
}includes
infallible pureDetermines whether the
value array includes the specified item.keys
infallible pureReturns the keys from the object passed into the function.
length
infallible pureReturns the length of the value.
- If
valueis an array, returns the number of elements. - If
valueis an object, returns the number of top-level keys. - If
valueis a string, returns the number of bytes in the string. If you want the number of characters, seestrlen.
Function spec
length(value:
<array | object | string>
)
:: <integer>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array object string | The array or object. | yes |
map_keys
infallible pureMap the keys within an object.
If recursive is enabled, the function iterates into nested
objects, using the following rules:
- Iteration starts at the root.
- For every nested object type:
- First return the key of the object type itself.
- Then recurse into the object, and loop back to item (1) in this list.
- Any mutation done on a nested object before recursing into it, are preserved.
- For every nested array type:
- First return the key of the array type itself.
- Then find all objects within the array, and apply item (2) to each individual object.
The above rules mean that map_keys with
recursive enabled finds all keys in the target,
regardless of whether nested objects are nested inside arrays.
The function uses the function closure syntax to allow reading the key for each item in the object.
The same scoping rules apply to closure blocks as they do for regular blocks. This means that any variable defined in parent scopes is accessible, and mutations to those variables are preserved, but any new variables instantiated in the closure block are unavailable outside of the block.
See the examples below to learn about the closure syntax.
map_values
infallible pureMap the values within a collection.
If recursive is enabled, the function iterates into nested
collections, using the following rules:
- Iteration starts at the root.
- For every nested collection type:
- First return the collection type itself.
- Then recurse into the collection, and loop back to item (1) in the list
- Any mutation done on a collection before recursing into it, are preserved.
The function uses the function closure syntax to allow mutating the value for each item in the collection.
The same scoping rules apply to closure blocks as they do for regular blocks, meaning, any variable defined in parent scopes are accessible, and mutations to those variables are preserved, but any new variables instantiated in the closure block are unavailable outside of the block.
Check out the examples below to learn about the closure syntax.
match_array
infallible pureDetermines whether the elements in the
value array matches the pattern. By default, it checks that at least one element matches, but can be set to determine if all the elements match.Function spec
match_array(value:
<array>
, pattern:
<regex>
,
[all:
<boolean>
])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array | The array. | yes | |
| pattern | regex | The regular expression pattern to match against. | yes | |
| all | boolean | Whether to match on all elements of value. | no |
strlen
infallible pureReturns the number of UTF-8 characters in value. This differs from
length which counts the number of bytes of a string.
Note: This is the count of Unicode scalar values which can sometimes differ from Unicode code points.
unflatten
infallible pureUnflattens the
value into a nested representation.Function spec
unflatten(value:
<object>
,
[separator:
<string>
, recursive:
<boolean>
])
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object | The array or object to unflatten. | yes | |
| separator | string | The separator to split flattened keys. | . | no |
| recursive | boolean | Whether to recursively unflatten the object values. | true | no |
Examples
Unflatten
Source
unflatten({
"foo.bar.baz": true,
"foo.bar.qux": false,
"foo.quux": 42
})Return
{
"foo": {
"bar": {
"baz": true,
"qux": false
},
"quux": 42
}
}Unflatten recursively
Source
unflatten({
"flattened.parent": {
"foo.bar": true,
"foo.baz": false
}
})Return
{
"flattened": {
"parent": {
"foo": {
"bar": true,
"baz": false
}
}
}
}unique
infallible pureReturns the unique values for an array.
The first occurrence of each element is kept.
values
infallible pureReturns the values from the object passed into the function.
Event functions
get_secret
infallible pureReturns the value of the given secret from an event.
remove_secret
infallible pureRemoves a secret from an event.
set_secret
infallible pureSets the given secret in the event.
set_semantic_meaning
infallible pureSets a semantic meaning for an event. Note: This function assigns
meaning at startup, and has no runtime behavior. It is suggested
to put all calls to this function at the beginning of a VRL function. The function
cannot be conditionally called. For example, using an if statement cannot stop the meaning
from being assigned.
Path functions
del
infallible impureRemoves the field specified by the static path from the target.
For dynamic path deletion, see the remove function.
Function spec
del(path:
<path>
,
[compact:
<boolean>
])
:: <any>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| path | path | The path of the field to delete. | yes | |
| compact | boolean | After deletion, if compact is true and there is an empty object or array left,
the empty object or array is also removed, cascading up to the root. This only
applies to the path being deleted, and any parent paths. | no |
exists
infallible pureChecks whether the path exists for the target.
This function distinguishes between a missing path
and a path with a null value. A regular path lookup,
such as .foo, cannot distinguish between the two cases
since it always returns null if the path doesn’t exist.
get
fallible pureDynamically get the value of a given path.
If you know the path you want to look up, use
static paths such as .foo.bar[1] to get the value of that
path. However, if you do not know the path names,
use the dynamic get function to get the requested
value.
Function spec
get(value:
<object | array>
, path:
<array>
)
:: <any>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object array | The object or array to query. | yes | |
| path | array | An array of path segments to look for the value. | yes |
Errors
Theget function is fallible, which means that
error handling is required for these errors:The
path segment must be a string or an integer.remove
fallible pureDynamically remove the value for a given path.
If you know the path you want to remove, use
the del function and static paths such as del(.foo.bar[1])
to remove the value at that path. The del function returns the
deleted value, and is more performant than remove.
However, if you do not know the path names, use the dynamic
remove function to remove the value at the provided path.
Function spec
remove(value:
<object | array>
, path:
<array>
,
[compact:
<boolean>
])
:: <object | array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object array | The object or array to remove data from. | yes | |
| path | array | An array of path segments to remove the value from. | yes | |
| compact | boolean | After deletion, if compact is true, any empty objects or
arrays left are also removed. | no |
Errors
Theremove function is fallible, which means that
error handling is required for these errors:The
path segment must be a string or an integer.set
fallible pureDynamically insert data into the path of a given object or array.
If you know the path you want to assign a value to,
use static path assignments such as .foo.bar[1] = true for
improved performance and readability. However, if you do not
know the path names, use the dynamic set function to
insert the data into the object or array.
Function spec
set(value:
<object | array>
, path:
<array>
, data:
<any>
)
:: <object | array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object array | The object or array to insert data into. | yes | |
| path | array | An array of path segments to insert the value into. | yes | |
| data | any | The data to be inserted. | yes |
Errors
Theset function is fallible, which means that
error handling is required for these errors:The
path segment must be a string or an integer.Cryptography functions
decrypt
fallible pureDecrypts a string with a symmetric encryption algorithm.
Supported Algorithms:
- AES-256-CFB (key = 32 bytes, iv = 16 bytes)
- AES-192-CFB (key = 24 bytes, iv = 16 bytes)
- AES-128-CFB (key = 16 bytes, iv = 16 bytes)
- AES-256-OFB (key = 32 bytes, iv = 16 bytes)
- AES-192-OFB (key = 24 bytes, iv = 16 bytes)
- AES-128-OFB (key = 16 bytes, iv = 16 bytes)
- Deprecated - AES-256-CTR (key = 32 bytes, iv = 16 bytes)
- Deprecated - AES-192-CTR (key = 24 bytes, iv = 16 bytes)
- Deprecated - AES-128-CTR (key = 16 bytes, iv = 16 bytes)
- AES-256-CTR-LE (key = 32 bytes, iv = 16 bytes)
- AES-192-CTR-LE (key = 24 bytes, iv = 16 bytes)
- AES-128-CTR-LE (key = 16 bytes, iv = 16 bytes)
- AES-256-CTR-BE (key = 32 bytes, iv = 16 bytes)
- AES-192-CTR-BE (key = 24 bytes, iv = 16 bytes)
- AES-128-CTR-BE (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-PKCS7 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-PKCS7 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-PKCS7 (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-ANSIX923 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-ANSIX923 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-ANSIX923 (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-ISO7816 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-ISO7816 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-ISO7816 (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-ISO10126 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-ISO10126 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-ISO10126 (key = 16 bytes, iv = 16 bytes)
- CHACHA20-POLY1305 (key = 32 bytes, iv = 12 bytes)
- XCHACHA20-POLY1305 (key = 32 bytes, iv = 24 bytes)
- XSALSA20-POLY1305 (key = 32 bytes, iv = 24 bytes)
Function spec
decrypt(ciphertext:
<string>
, algorithm:
<string>
, key:
<string>
, iv:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ciphertext | string | The string in raw bytes (not encoded) to decrypt. | yes | |
| algorithm | string | The algorithm to use. | yes | |
| key | string | The key in raw bytes (not encoded) for decryption. The length must match the algorithm requested. | yes | |
| iv | string | The IV in raw bytes (not encoded) for decryption. The length must match the algorithm requested.
A new IV should be generated for every message. You can use random_bytes to generate a cryptographically secure random value.
The value should match the one used during encryption. | yes |
Errors
Thedecrypt function is fallible, which means that
error handling is required for these errors:algorithm is not a supported algorithm.key length does not match the key size required for the algorithm specified.iv length does not match the iv size required for the algorithm specified.encrypt
fallible pureEncrypts a string with a symmetric encryption algorithm.
Supported Algorithms:
- AES-256-CFB (key = 32 bytes, iv = 16 bytes)
- AES-192-CFB (key = 24 bytes, iv = 16 bytes)
- AES-128-CFB (key = 16 bytes, iv = 16 bytes)
- AES-256-OFB (key = 32 bytes, iv = 16 bytes)
- AES-192-OFB (key = 24 bytes, iv = 16 bytes)
- AES-128-OFB (key = 16 bytes, iv = 16 bytes)
- Deprecated - AES-256-CTR (key = 32 bytes, iv = 16 bytes)
- Deprecated - AES-192-CTR (key = 24 bytes, iv = 16 bytes)
- Deprecated - AES-128-CTR (key = 16 bytes, iv = 16 bytes)
- AES-256-CTR-LE (key = 32 bytes, iv = 16 bytes)
- AES-192-CTR-LE (key = 24 bytes, iv = 16 bytes)
- AES-128-CTR-LE (key = 16 bytes, iv = 16 bytes)
- AES-256-CTR-BE (key = 32 bytes, iv = 16 bytes)
- AES-192-CTR-BE (key = 24 bytes, iv = 16 bytes)
- AES-128-CTR-BE (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-PKCS7 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-PKCS7 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-PKCS7 (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-ANSIX923 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-ANSIX923 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-ANSIX923 (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-ISO7816 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-ISO7816 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-ISO7816 (key = 16 bytes, iv = 16 bytes)
- AES-256-CBC-ISO10126 (key = 32 bytes, iv = 16 bytes)
- AES-192-CBC-ISO10126 (key = 24 bytes, iv = 16 bytes)
- AES-128-CBC-ISO10126 (key = 16 bytes, iv = 16 bytes)
- CHACHA20-POLY1305 (key = 32 bytes, iv = 12 bytes)
- XCHACHA20-POLY1305 (key = 32 bytes, iv = 24 bytes)
- XSALSA20-POLY1305 (key = 32 bytes, iv = 24 bytes)
Function spec
encrypt(plaintext:
<string>
, algorithm:
<string>
, key:
<string>
, iv:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| plaintext | string | The string to encrypt. | yes | |
| algorithm | string | The algorithm to use. | yes | |
| key | string | The key in raw bytes (not encoded) for encryption. The length must match the algorithm requested. | yes | |
| iv | string | The IV in raw bytes (not encoded) for encryption. The length must match the algorithm requested.
A new IV should be generated for every message. You can use random_bytes to generate a cryptographically secure random value. | yes |
Errors
Theencrypt function is fallible, which means that
error handling is required for these errors:algorithm is not a supported algorithm.key length does not match the key size required for the algorithm specified.iv length does not match the iv size required for the algorithm specified.Examples
Encrypt value
Source
plaintext = "super secret message"
iv = "1234567890123456" # typically you would call random_bytes(16)
key = "16_byte_keyxxxxx"
encrypted_message = encrypt!(plaintext, "AES-128-CBC-PKCS7", key, iv: iv)
encode_base64(encrypted_message)Return
GBw8Mu00v0Kc38+/PvsVtGgWuUJ+ZNLgF8Opy8ohIYE=hmac
infallible pureCalculates a HMAC of the value using the given key.
The hashing algorithm used can be optionally specified.
For most use cases, the resulting bytestream should be encoded into a hex or base64 string using either encode_base16 or encode_base64.
This function is infallible if either the default algorithm value or a recognized-valid compile-time
algorithm string literal is used. Otherwise, it is fallible.
Function spec
hmac(value:
<string>
, key:
<string>
,
[algorithm:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to calculate the HMAC for. | yes | |
| key | string | The string to use as the cryptographic key. | yes | |
| algorithm | string | The hashing algorithm to use. | SHA-256 | no |
Examples
Calculate message HMAC (defaults: SHA-256), encoding to a base64 string
Source
encode_base64(hmac("Hello there", "super-secret-key"))Return
eLGE8YMviv85NPXgISRUZxstBNSU47JQdcXkUWcClmI=md5
infallible pureCalculates an md5 hash of the
value.seahash
infallible pureCalculates a Seahash hash of the
value.
Note: Due to limitations in the underlying VRL data types, this function converts the unsigned 64-bit integer SeaHash result to a signed 64-bit integer. Results higher than the signed 64-bit integer maximum value wrap around to negative values.sha1
infallible pureCalculates a SHA-1 hash of the
value.sha2
infallible pureCalculates a SHA-2 hash of the
value.sha3
infallible pureCalculates a SHA-3 hash of the
value.IP functions
ip_aton
fallible pureConverts IPv4 address in numbers-and-dots notation into network-order bytes represented as an integer.
This behavior mimics inet_aton.
Function spec
ip_aton(value:
<string>
)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The IP address to convert to binary. | yes |
Errors
Theip_aton function is fallible, which means that
error handling is required for these errors:value is not a valid IPv4 address.ip_cidr_contains
fallible pureDetermines whether the
ip is contained in the block referenced by the cidr.Function spec
ip_cidr_contains(cidr:
<string>
, ip:
<string>
)
:: <boolean>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| cidr | string | The CIDR mask (v4 or v6). | yes | |
| ip | string | The IP address (v4 or v6). | yes |
Errors
Theip_cidr_contains function is fallible, which means that
error handling is required for these errors:cidr is not a valid CIDR.ip is not a valid IP address.ip_ntoa
fallible pureConverts numeric representation of IPv4 address in network-order bytes to numbers-and-dots notation.
This behavior mimics inet_ntoa.
Function spec
ip_ntoa(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The integer representation of an IPv4 address. | yes |
Errors
Theip_ntoa function is fallible, which means that
error handling is required for these errors:value cannot fit in an unsigned 32-bit integer.ip_ntop
fallible pureConverts IPv4 and IPv6 addresses from binary to text form.
This behavior mimics inet_ntop.
Function spec
ip_ntop(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The binary data to convert from. For IPv4 addresses, it must be 4 bytes (32 bits) long. For IPv6 addresses, it must be 16 bytes (128 bits) long. | yes |
Notices
This function has special behavior that you should be aware of.The binary data for this function is not easily printable.
However, the results from functions such as
decode_base64 or
decode_percent can still be used correctly.Errors
Theip_ntop function is fallible, which means that
error handling is required for these errors:value must be of length 4 or 16 bytes.ip_pton
fallible pureConverts IPv4 and IPv6 addresses from text to binary form.
- The binary form of IPv4 addresses is 4 bytes (32 bits) long.
- The binary form of IPv6 addresses is 16 bytes (128 bits) long.
This behavior mimics inet_pton.
Function spec
ip_pton(value:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The IP address (v4 or v6) to convert to binary form. | yes |
Notices
This function has special behavior that you should be aware of.The binary data from this function is not easily printable.
However, functions such as
encode_base64 or encode_percent can
still process it correctly.Errors
Theip_pton function is fallible, which means that
error handling is required for these errors:value is not a valid IP (v4 or v6) address in text form.ip_subnet
fallible pureExtracts the subnet address from the
ip using the supplied subnet.Function spec
ip_subnet(ip:
<string>
, subnet:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ip | string | The IP address (v4 or v6). | yes | |
| subnet | string | The subnet to extract from the IP address. This can be either a prefix length like /8 or a net mask
like 255.255.0.0. The net mask can be either an IPv4 or IPv6 address. | yes |
Notices
This function has special behavior that you should be aware of.Works with both IPv4 and IPv6 addresses. The IP version for the mask must be the same as the supplied
address.
Errors
Theip_subnet function is fallible, which means that
error handling is required for these errors:ip is not a valid IP address.subnet is not a valid subnet.ip_to_ipv6
fallible pureConverts the
ip to an IPv6 address.Function spec
ip_to_ipv6(ip:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ip | string | The IP address to convert to IPv6. | yes |
Errors
Theip_to_ipv6 function is fallible, which means that
error handling is required for these errors:ip is not a valid IP address.ipv6_to_ipv4
fallible pureConverts the
ip to an IPv4 address. ip is returned unchanged if it’s already an IPv4 address. If ip is
currently an IPv6 address then it needs to be IPv4 compatible, otherwise an error is thrown.Function spec
ipv6_to_ipv4(ip:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ip | string | The IPv4-mapped IPv6 address to convert. | yes |
Errors
Theipv6_to_ipv4 function is fallible, which means that
error handling is required for these errors:ip is not a valid IP address.ip is an IPv6 address that is not compatible with IPv4.is_ipv4
infallible pureCheck if the string is a valid IPv4 address or not.
An [IPv4-mapped][https://datatracker.ietf.org/doc/html/rfc6890] or [IPv4-compatible][https://datatracker.ietf.org/doc/html/rfc6890] IPv6 address is not considered valid for the purpose of this function.
is_ipv6
infallible pureCheck if the string is a valid IPv6 address or not.
Number functions
abs
infallible pureComputes the absolute value of
value.ceil
infallible pureRounds the
value up to the specified precision.floor
infallible pureRounds the
value down to the specified precision.format_int
fallible pureFormats the integer
value into a string representation using the given base/radix.Function spec
format_int(value:
<integer>
,
[base:
<integer>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The number to format. | yes | |
| base | integer | The base to format the number in. Must be between 2 and 36 (inclusive). | 10 | no |
Errors
Theformat_int function is fallible, which means that
error handling is required for these errors:The base is not between 2 and 36.
format_number
infallible pureFormats the
value into a string representation of the number.Function spec
format_number(value:
<integer | float>
,
[scale:
<integer>
, decimal_separator:
<string>
, grouping_separator:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float | The number to format as a string. | yes | |
| scale | integer | The number of decimal places to display. | no | |
| decimal_separator | string | The character to use between the whole and decimal parts of the number. | . | no |
| grouping_separator | string | The character to use between each thousands part of the number. | , | no |
mod
fallible pureCalculates the remainder of
value divided by modulus.Function spec
mod(value:
<integer | float>
, modulus:
<integer | float>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float | The value the modulus is applied to. | yes | |
| modulus | integer float | The modulus value. | yes |
Errors
Themod function is fallible, which means that
error handling is required for these errors:value is not an integer or float.modulus is not an integer or float.modulus is equal to 0.round
infallible pureRounds the
value to the specified precision.Object functions
match_datadog_query
infallible pureMatches an object against a Datadog Search Syntax query.
merge
infallible pureMerges the
from object into the to object.Function spec
merge(to:
<object>
, from:
<object>
,
[deep:
<boolean>
])
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| to | object | The object to merge into. | yes | |
| from | object | The object to merge from. | yes | |
| deep | boolean | A deep merge is performed if true, otherwise only top-level fields are merged. | no |
unnest
fallible pureUnnest an array field from an object to create an array of objects using that field; keeping all other fields.
Assigning the array result of this to . results in multiple events being emitted from remap. See the
remap transform docs for more details.
This is also referred to as explode in some languages.
Function spec
unnest(path:
<path>
)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| path | path | The path of the field to unnest. | yes |
Errors
Theunnest function is fallible, which means that
error handling is required for these errors:The field path referred to is not an array.
Parse functions
parse_apache_log
fallible pureParses Apache access and error log lines. Lines can be in
common,
combined, or the default error format.Function spec
parse_apache_log(value:
<string>
, format:
<string>
,
[timestamp_format:
<string>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| format | string | The format to use for parsing the log. | yes | |
| timestamp_format | string | The date/time format to use for encoding the timestamp. The time is parsed in local time if the timestamp does not specify a timezone. | %d/%b/%Y:%T %z | no |
Notices
This function has special behavior that you should be aware of.Missing information in the log message may be indicated by
-. These fields are omitted in the result.Errors
Theparse_apache_log function is fallible, which means that
error handling is required for these errors:value does not match the specified format.timestamp_format is not a valid format string.The timestamp in
value fails to parse using the provided timestamp_format.Examples
Parse using Apache log format (common)
Source
parse_apache_log!("127.0.0.1 bob frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", format: "common")Return
{
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}Parse using Apache log format (combined)
Source
parse_apache_log!(
s'127.0.0.1 bob frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.seniorinfomediaries.com/vertical/channels/front-end/bandwidth" "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/1945-10-12 Firefox/37.0"',
"combined",
)Return
{
"agent": "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/1945-10-12 Firefox/37.0",
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"referrer": "http://www.seniorinfomediaries.com/vertical/channels/front-end/bandwidth",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}Parse using Apache log format (error)
Source
parse_apache_log!(
s'[01/Mar/2021:12:00:19 +0000] [ab:alert] [pid 4803:tid 3814] [client 147.159.108.175:24259] I will bypass the haptic COM bandwidth, that should matrix the CSS driver!',
"error"
)Return
{
"client": "147.159.108.175",
"message": "I will bypass the haptic COM bandwidth, that should matrix the CSS driver!",
"module": "ab",
"pid": 4803,
"port": 24259,
"severity": "alert",
"thread": "3814",
"timestamp": "2021-03-01T12:00:19Z"
}parse_aws_alb_log
fallible pureParses
value in the Elastic Load Balancer Access format.Function spec
parse_aws_alb_log(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | Access log of the Application Load Balancer. | yes |
Errors
Theparse_aws_alb_log function is fallible, which means that
error handling is required for these errors:value is not a properly formatted AWS ALB log.Examples
Parse AWS ALB log
Source
parse_aws_alb_log!(
"http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - 0.000 0.001 0.000 200 200 34 366 \"GET http://www.example.com:80/ HTTP/1.1\" \"curl/7.46.0\" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \"Root=1-58337364-23a8c76965a2ef7629b185e3\" \"-\" \"-\" 0 2018-11-30T22:22:48.364000Z \"forward\" \"-\" \"-\" \"-\" \"-\" \"-\" \"-\""
)Return
{
"actions_executed": "forward",
"chosen_cert_arn": null,
"classification": null,
"classification_reason": null,
"client_host": "192.168.131.39:2817",
"domain_name": null,
"elb": "app/my-loadbalancer/50dc6c495c0c9188",
"elb_status_code": "200",
"error_reason": null,
"matched_rule_priority": "0",
"received_bytes": 34,
"redirect_url": null,
"request_creation_time": "2018-11-30T22:22:48.364000Z",
"request_method": "GET",
"request_processing_time": 0,
"request_protocol": "HTTP/1.1",
"request_url": "http://www.example.com:80/",
"response_processing_time": 0,
"sent_bytes": 366,
"ssl_cipher": null,
"ssl_protocol": null,
"target_group_arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067",
"target_host": null,
"target_port_list": [],
"target_processing_time": 0.001,
"target_status_code": "200",
"target_status_code_list": [],
"timestamp": "2018-11-30T22:23:00.186641Z",
"trace_id": "Root=1-58337364-23a8c76965a2ef7629b185e3",
"traceability_id": null,
"type": "http",
"user_agent": "curl/7.46.0"
}parse_aws_cloudwatch_log_subscription_message
fallible pureParses AWS CloudWatch Logs events (configured through AWS Cloudwatch subscriptions) from the
aws_kinesis_firehose source.Function spec
parse_aws_cloudwatch_log_subscription_message(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the message to parse. | yes |
Errors
Theparse_aws_cloudwatch_log_subscription_message function is fallible, which means that
error handling is required for these errors:value is not a properly formatted AWS CloudWatch Log subscription message.Examples
Parse AWS Cloudwatch Log subscription message
Source
parse_aws_cloudwatch_log_subscription_message!(.message)Return
{
"log_events": [
{
"id": "35683658089614582423604394983260738922885519999578275840",
"message": "{\"bytes\":26780,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"157.130.216.193\",\"method\":\"PUT\",\"protocol\":\"HTTP/1.0\",\"referer\":\"https://www.principalcross-platform.io/markets/ubiquitous\",\"request\":\"/expedite/convergence\",\"source_type\":\"stdin\",\"status\":301,\"user-identifier\":\"-\"}",
"timestamp": "2020-09-14T19:09:29.039Z"
}
],
"log_group": "test",
"log_stream": "test",
"message_type": "DATA_MESSAGE",
"owner": "111111111111",
"subscription_filters": [
"Destination"
]
}parse_aws_vpc_flow_log
fallible pureParses
value in the VPC Flow Logs format.Function spec
parse_aws_vpc_flow_log(value:
<string>
,
[format:
<string>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | VPC Flow Log. | yes | |
| format | string | VPC Flow Log format. | no |
Errors
Theparse_aws_vpc_flow_log function is fallible, which means that
error handling is required for these errors:value is not a properly formatted AWS VPC Flow log.Examples
Parse AWS VPC Flow log (default format)
Source
parse_aws_vpc_flow_log!("2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA")Return
{
"account_id": "123456789010",
"action": null,
"bytes": null,
"dstaddr": null,
"dstport": null,
"end": 1431280934,
"interface_id": "eni-1235b8ca123456789",
"log_status": "NODATA",
"packets": null,
"protocol": null,
"srcaddr": null,
"srcport": null,
"start": 1431280876,
"version": 2
}Parse AWS VPC Flow log (custom format)
Source
parse_aws_vpc_flow_log!(
"- eni-1235b8ca123456789 10.0.1.5 10.0.0.220 10.0.1.5 203.0.113.5",
"instance_id interface_id srcaddr dstaddr pkt_srcaddr pkt_dstaddr"
)Return
{
"dstaddr": "10.0.0.220",
"instance_id": null,
"interface_id": "eni-1235b8ca123456789",
"pkt_dstaddr": "203.0.113.5",
"pkt_srcaddr": "10.0.1.5",
"srcaddr": "10.0.1.5"
}Parse AWS VPC Flow log including v5 fields
Source
parse_aws_vpc_flow_log!("5 52.95.128.179 10.0.0.71 80 34210 6 1616729292 1616729349 IPv4 14 15044 123456789012 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-0c50d5961bcb2d47b eni-1235b8ca123456789 ap-southeast-2 apse2-az3 - - ACCEPT 19 52.95.128.179 10.0.0.71 S3 - - ingress OK",
format: "version srcaddr dstaddr srcport dstport protocol start end type packets bytes account_id vpc_id subnet_id instance_id interface_id region az_id sublocation_type sublocation_id action tcp_flags pkt_srcaddr pkt_dstaddr pkt_src_aws_service pkt_dst_aws_service traffic_path flow_direction log_status")Return
{
"account_id": "123456789012",
"action": "ACCEPT",
"az_id": "apse2-az3",
"bytes": 15044,
"dstaddr": "10.0.0.71",
"dstport": 34210,
"end": 1616729349,
"flow_direction": "ingress",
"instance_id": "i-0c50d5961bcb2d47b",
"interface_id": "eni-1235b8ca123456789",
"log_status": "OK",
"packets": 14,
"pkt_dst_aws_service": null,
"pkt_dstaddr": "10.0.0.71",
"pkt_src_aws_service": "S3",
"pkt_srcaddr": "52.95.128.179",
"protocol": 6,
"region": "ap-southeast-2",
"srcaddr": "52.95.128.179",
"srcport": 80,
"start": 1616729292,
"sublocation_id": null,
"sublocation_type": null,
"subnet_id": "subnet-aaaaaaaa012345678",
"tcp_flags": 19,
"traffic_path": null,
"type": "IPv4",
"version": 5,
"vpc_id": "vpc-abcdefab012345678"
}parse_cef
fallible pureParses the
value in CEF (Common Event Format) format. Ignores everything up to CEF header. Empty values are returned as empty strings. Surrounding quotes are removed from values.Function spec
parse_cef(value:
<string>
,
[translate_custom_fields:
<boolean>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| translate_custom_fields | boolean | Toggles translation of custom field pairs to key:value. | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_cef function is fallible, which means that
error handling is required for these errors:value is not a properly formatted CEF string.Examples
Parse output generated by PTA
Source
parse_cef!(
"CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.1.1.1 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=None"
)Return
{
"cefVersion": "0",
"cs1": "None",
"cs1Label": "ExtraData",
"cs2": "52b06812ec3500ed864c461e",
"cs2Label": "EventID",
"cs3": "https://1.1.1.1/incidents/52b06812ec3500ed864c461e",
"cs3Label": "PTAlink",
"cs4": "None",
"cs4Label": "ExternalLink",
"deviceCustomDate1": "1388577900000",
"deviceCustomDate1Label": "detectionDate",
"deviceEventClassId": "1",
"deviceProduct": "PTA",
"deviceVendor": "CyberArk",
"deviceVersion": "12.6",
"dhost": "dev1.domain.com",
"dst": "2.2.2.2",
"duser": "andy@dev1.domain.com",
"name": "Suspected credentials theft",
"severity": "8",
"shost": "prod1.domain.com",
"src": "1.1.1.1",
"suser": "mike2@prod1.domain.com"
}Ignore syslog header
Source
parse_cef!(
"Sep 29 08:26:10 host CEF:1|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232"
)Return
{
"cefVersion": "1",
"deviceEventClassId": "100",
"deviceProduct": "threatmanager",
"deviceVendor": "Security",
"deviceVersion": "1.0",
"dst": "2.1.2.2",
"name": "worm successfully stopped",
"severity": "10",
"spt": "1232",
"src": "10.0.0.1"
}Translate custom fields
Source
parse_cef!(
"CEF:0|Dev|firewall|2.2|1|Connection denied|5|c6a1=2345:0425:2CA1:0000:0000:0567:5673:23b5 c6a1Label=Device IPv6 Address",
translate_custom_fields: true
)Return
{
"Device IPv6 Address": "2345:0425:2CA1:0000:0000:0567:5673:23b5",
"cefVersion": "0",
"deviceEventClassId": "1",
"deviceProduct": "firewall",
"deviceVendor": "Dev",
"deviceVersion": "2.2",
"name": "Connection denied",
"severity": "5"
}parse_common_log
fallible pureParses the
value using the Common Log Format (CLF).Function spec
parse_common_log(value:
<string>
,
[timestamp_format:
<string>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| timestamp_format | string | The date/time format to use for encoding the timestamp. | %d/%b/%Y:%T %z | no |
Notices
This function has special behavior that you should be aware of.Missing information in the log message may be indicated by
-. These fields are omitted in the result.Errors
Theparse_common_log function is fallible, which means that
error handling is required for these errors:value does not match the Common Log Format.timestamp_format is not a valid format string.The timestamp in
value fails to parse using the provided timestamp_format.Examples
Parse using Common Log Format (with default timestamp format)
Source
parse_common_log!("127.0.0.1 bob frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326")Return
{
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}Parse using Common Log Format (with custom timestamp format)
Source
parse_common_log!(
"127.0.0.1 bob frank [2000-10-10T20:55:36Z] \"GET /apache_pb.gif HTTP/1.0\" 200 2326",
"%+"
)Return
{
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}parse_csv
fallible pureParses a single CSV formatted row. Only the first row is parsed in case of multiline input value.
Function spec
parse_csv(value:
<string>
,
[delimiter:
<string>
])
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| delimiter | string | The field delimiter to use when parsing. Must be a single-byte utf8 character. | , | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_csv function is fallible, which means that
error handling is required for these errors:The delimiter must be a single-byte UTF-8 character.
value is not a valid CSV string.parse_duration
fallible pureParses the
value into a human-readable duration format specified by unit.Function spec
parse_duration(value:
<string>
, unit:
<string>
)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string of the duration. | yes | |
| unit | string | The output units for the duration. | yes |
Errors
Theparse_duration function is fallible, which means that
error handling is required for these errors:value is not a properly formatted duration.parse_etld
fallible pureParses the eTLD from
value representing domain name.Function spec
parse_etld(value:
<string>
,
[plus_parts:
<integer>
, psl:
<string>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The domain string. | yes | |
| plus_parts | integer | Can be provided to get additional parts of the domain name. When 1 is passed, eTLD+1 will be returned, which represents a domain registrable by a single organization. Higher numbers will return subdomains. | no | |
| psl | string | Can be provided to use a different public suffix list. By default, https://publicsuffix.org/list/public_suffix_list.dat is used. | no |
Errors
Theparse_etld function is fallible, which means that
error handling is required for these errors:unable to determine eTLD for
valueExamples
Parse eTLD
Source
parse_etld!("sub.sussex.ac.uk")Return
{
"etld": "ac.uk",
"etld_plus": "ac.uk",
"known_suffix": true
}Parse eTLD+1
Source
parse_etld!("sub.sussex.ac.uk", plus_parts: 1)Return
{
"etld": "ac.uk",
"etld_plus": "sussex.ac.uk",
"known_suffix": true
}parse_glog
fallible pureParses the
value using the glog (Google Logging Library) format.Function spec
parse_glog(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
Errors
Theparse_glog function is fallible, which means that
error handling is required for these errors:value does not match the glog format.parse_grok
fallible pureFunction spec
parse_grok(value:
<string>
, pattern:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| pattern | string | The Grok pattern. | yes |
Notices
This function has special behavior that you should be aware of.We recommend using community-maintained Grok patterns when possible, as they’re more likely to be properly
vetted and improved over time than bespoke patterns.
Errors
Theparse_grok function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided pattern.parse_groks
fallible pureFunction spec
parse_groks(value:
<string>
, patterns:
<array>
,
[aliases:
<object>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| patterns | array | The Grok patterns, which are tried in order until the first match. | yes | |
| aliases | object | The shared set of grok aliases that can be referenced in the patterns to simplify them. | true | no |
Notices
This function has special behavior that you should be aware of.We recommend using community-maintained Grok patterns when possible, as they’re more likely to be properly
vetted and improved over time than bespoke patterns.
Errors
Theparse_groks function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided pattern.Examples
Parse using multiple Grok patterns
Source
parse_groks!(
"2020-10-02T23:22:12.223222Z info Hello world",
patterns: [
"%{common_prefix} %{_status} %{_message}",
"%{common_prefix} %{_message}",
],
aliases: {
"common_prefix": "%{_timestamp} %{_loglevel}",
"_timestamp": "%{TIMESTAMP_ISO8601:timestamp}",
"_loglevel": "%{LOGLEVEL:level}",
"_status": "%{POSINT:status}",
"_message": "%{GREEDYDATA:message}"
}
)Return
{
"level": "info",
"message": "Hello world",
"timestamp": "2020-10-02T23:22:12.223222Z"
}parse_influxdb
fallible pureParses the
value as an InfluxDB line protocol
string, producing a list of Vector-compatible metrics.Function spec
parse_influxdb(value:
<string>
)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the InfluxDB line protocol to parse. | yes |
Notices
This function has special behavior that you should be aware of.This function will return a log event with the shape of a Vector-compatible metric, but not a metric event itself.
You will likely want to pipe the output of this function through a
log_to_metric transform with the option all_metrics
set to true to convert the metric-shaped log events to metric events so real metrics are produced.The only metric type that is produced is a
gauge. Each metric name is prefixed with the measurement field, followed
by an underscore (_), and then the field key field.string is the only type that is not supported as a field value,
due to limitations of Vector’s metric model.Errors
Theparse_influxdb function is fallible, which means that
error handling is required for these errors:value is not a valid InfluxDB line protocol string.field set contains a field value of type
string.field set contains a
NaN field value.Examples
Parse InfluxDB line protocol
Source
parse_influxdb!("cpu,host=A,region=us-west usage_system=64i,usage_user=10u,temperature=50.5,on=true,sleep=false 1590488773254420000")Return
[{"gauge":{"value":64},"kind":"absolute","name":"cpu_usage_system","tags":{"host":"A","region":"us-west"},"timestamp":"2020-05-26T10:26:13.254420Z"},{"gauge":{"value":10},"kind":"absolute","name":"cpu_usage_user","tags":{"host":"A","region":"us-west"},"timestamp":"2020-05-26T10:26:13.254420Z"},{"gauge":{"value":50.5},"kind":"absolute","name":"cpu_temperature","tags":{"host":"A","region":"us-west"},"timestamp":"2020-05-26T10:26:13.254420Z"},{"gauge":{"value":1},"kind":"absolute","name":"cpu_on","tags":{"host":"A","region":"us-west"},"timestamp":"2020-05-26T10:26:13.254420Z"},{"gauge":{"value":0},"kind":"absolute","name":"cpu_sleep","tags":{"host":"A","region":"us-west"},"timestamp":"2020-05-26T10:26:13.254420Z"}]parse_int
fallible pureParses the string
value representing a number in an optional base/radix to an integer.Function spec
parse_int(value:
<string>
,
[base:
<integer>
])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| base | integer | The base the number is in. Must be between 2 and 36 (inclusive). If unspecified, the string prefix is used to determine the base: “0b”, 8 for “0” or “0o”, 16 for “0x”, and 10 otherwise. | no |
Errors
Theparse_int function is fallible, which means that
error handling is required for these errors:The base is not between 2 and 36.
The number cannot be parsed in the base.
parse_json
fallible pureParses the
value as JSON.Function spec
parse_json(value:
<string>
,
[max_depth:
<integer>
, lossy:
<boolean>
])
:: <boolean | integer | float | string | object | array | null>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the JSON to parse. | yes | |
| max_depth | integer | Number of layers to parse for nested JSON-formatted documents. The value must be in the range of 1 to 128. | no | |
| lossy | boolean | Whether to parse the JSON in a lossy manner. Replaces invalid UTF-8 characters
with the Unicode character � (U+FFFD) if set to true, otherwise returns an error
if there are any invalid UTF-8 characters present. | true | no |
Notices
This function has special behavior that you should be aware of.Only JSON types are returned. If you need to convert a
string into a timestamp, consider the
parse_timestamp function.Errors
Theparse_json function is fallible, which means that
error handling is required for these errors:value is not a valid JSON-formatted payload.parse_key_value
fallible pureParses the value in key-value format. Also known as logfmt.
- Keys and values can be wrapped with
". "characters can be escaped using\.
Function spec
parse_key_value(value:
<string>
,
[key_value_delimiter:
<string>
, field_delimiter:
<string>
, whitespace:
<string>
, accept_standalone_key:
<boolean>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| key_value_delimiter | string | The string that separates the key from the value. | = | no |
| field_delimiter | string | The string that separates each key-value pair. | | no |
| whitespace | string | Defines the acceptance of unnecessary whitespace surrounding the configured key_value_delimiter. | lenient | no |
| accept_standalone_key | boolean | Whether a standalone key should be accepted, the resulting object associates such keys with the boolean value true. | true | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings or as an array of strings for duplicate keys. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_key_value function is fallible, which means that
error handling is required for these errors:value is not a properly formatted key-value string.Examples
Parse logfmt log
Source
parse_key_value!(
"@timestamp=\"Sun Jan 10 16:47:39 EST 2021\" level=info msg=\"Stopping all fetchers\" tag#production=stopping_fetchers id=ConsumerFetcherManager-1382721708341 module=kafka.consumer.ConsumerFetcherManager"
)Return
{
"@timestamp": "Sun Jan 10 16:47:39 EST 2021",
"id": "ConsumerFetcherManager-1382721708341",
"level": "info",
"module": "kafka.consumer.ConsumerFetcherManager",
"msg": "Stopping all fetchers",
"tag#production": "stopping_fetchers"
}Parse comma delimited log
Source
parse_key_value!(
"path:\"/cart_link\", host:store.app.com, fwd: \"102.30.171.16\", dyno: web.1, connect:0ms, service:87ms, status:304, bytes:632, protocol:https",
field_delimiter: ",",
key_value_delimiter: ":"
)Return
{
"bytes": "632",
"connect": "0ms",
"dyno": "web.1",
"fwd": "102.30.171.16",
"host": "store.app.com",
"path": "/cart_link",
"protocol": "https",
"service": "87ms",
"status": "304"
}parse_klog
fallible pureParses the
value using the klog format used by Kubernetes components.Function spec
parse_klog(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
Errors
Theparse_klog function is fallible, which means that
error handling is required for these errors:value does not match the klog format.parse_linux_authorization
fallible pureParses Linux authorization logs usually found under either
/var/log/auth.log (for Debian-based systems) or
/var/log/secure (for RedHat-based systems) according to Syslog format.Function spec
parse_linux_authorization(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text containing the message to parse. | yes |
Notices
This function has special behavior that you should be aware of.The function resolves the year for messages that don’t include it. If the current month is January, and the message is for
December, it will take the previous year. Otherwise, take the current year.
Errors
Theparse_linux_authorization function is fallible, which means that
error handling is required for these errors:value is not a properly formatted Syslog message.Examples
Parse Linux authorization event
Source
parse_linux_authorization!(
s'Mar 23 2023 01:49:58 localhost sshd[1111]: Accepted publickey for eng from 10.1.1.1 port 8888 ssh2: RSA SHA256:foobar'
)Return
{
"appname": "sshd",
"hostname": "localhost",
"message": "Accepted publickey for eng from 10.1.1.1 port 8888 ssh2: RSA SHA256:foobar",
"procid": 1111,
"timestamp": "2023-03-23T01:49:58Z"
}parse_logfmt
fallible pureParses the value in logfmt.
- Keys and values can be wrapped using the
"character. "characters can be escaped by the\character.- As per this logfmt specification, the
parse_logfmtfunction accepts standalone keys and assigns them a Boolean value oftrue.
Function spec
parse_logfmt(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
Errors
Theparse_logfmt function is fallible, which means that
error handling is required for these errors:value is not a properly formatted key-value stringExamples
Parse logfmt log
Source
parse_logfmt!(
"@timestamp=\"Sun Jan 10 16:47:39 EST 2021\" level=info msg=\"Stopping all fetchers\" tag#production=stopping_fetchers id=ConsumerFetcherManager-1382721708341 module=kafka.consumer.ConsumerFetcherManager"
)Return
{
"@timestamp": "Sun Jan 10 16:47:39 EST 2021",
"id": "ConsumerFetcherManager-1382721708341",
"level": "info",
"module": "kafka.consumer.ConsumerFetcherManager",
"msg": "Stopping all fetchers",
"tag#production": "stopping_fetchers"
}parse_nginx_log
fallible pureParses Nginx access and error log lines. Lines can be in
combined,
ingress_upstreaminfo, or error format.Function spec
parse_nginx_log(value:
<string>
, format:
<string>
,
[timestamp_format:
<string>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| format | string | The format to use for parsing the log. | yes | |
| timestamp_format | string | The date/time format to use for encoding the timestamp. The time is parsed
in local time if the timestamp doesn’t specify a timezone. The default format is %d/%b/%Y:%T %z for
combined logs and %Y/%m/%d %H:%M:%S for error logs. | %d/%b/%Y:%T %z | no |
Notices
This function has special behavior that you should be aware of.Missing information in the log message may be indicated by
-. These fields are omitted in the result.In case of
ingress_upstreaminfo format the following fields may be safely omitted in the log message: remote_addr, remote_user, http_referer, http_user_agent, proxy_alternative_upstream_name, upstream_addr, upstream_response_length, upstream_response_time, upstream_status.Errors
Theparse_nginx_log function is fallible, which means that
error handling is required for these errors:value does not match the specified format.timestamp_format is not a valid format string.The timestamp in
value fails to parse using the provided timestamp_format.Examples
Parse via Nginx log format (combined)
Source
parse_nginx_log!(
s'172.17.0.1 - alice [01/Apr/2021:12:02:31 +0000] "POST /not-found HTTP/1.1" 404 153 "http://localhost/somewhere" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" "2.75"',
"combined",
)Return
{
"agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
"client": "172.17.0.1",
"compression": "2.75",
"referer": "http://localhost/somewhere",
"request": "POST /not-found HTTP/1.1",
"size": 153,
"status": 404,
"timestamp": "2021-04-01T12:02:31Z",
"user": "alice"
}Parse via Nginx log format (error)
Source
parse_nginx_log!(
s'2021/04/01 13:02:31 [error] 31#31: *1 open() "/usr/share/nginx/html/not-found" failed (2: No such file or directory), client: 172.17.0.1, server: localhost, request: "POST /not-found HTTP/1.1", host: "localhost:8081"',
"error"
)Return
{
"cid": 1,
"client": "172.17.0.1",
"host": "localhost:8081",
"message": "open() \"/usr/share/nginx/html/not-found\" failed (2: No such file or directory)",
"pid": 31,
"request": "POST /not-found HTTP/1.1",
"server": "localhost",
"severity": "error",
"tid": 31,
"timestamp": "2021-04-01T13:02:31Z"
}Parse via Nginx log format (ingress_upstreaminfo)
Source
parse_nginx_log!(
s'0.0.0.0 - bob [18/Mar/2023:15:00:00 +0000] "GET /some/path HTTP/2.0" 200 12312 "https://10.0.0.1/some/referer" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" 462 0.050 [some-upstream-service-9000] [some-other-upstream-5000] 10.0.50.80:9000 19437 0.049 200 752178adb17130b291aefd8c386279e7',
"ingress_upstreaminfo"
)Return
{
"body_bytes_size": 12312,
"http_referer": "https://10.0.0.1/some/referer",
"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"proxy_alternative_upstream_name": "some-other-upstream-5000",
"proxy_upstream_name": "some-upstream-service-9000",
"remote_addr": "0.0.0.0",
"remote_user": "bob",
"req_id": "752178adb17130b291aefd8c386279e7",
"request": "GET /some/path HTTP/2.0",
"request_length": 462,
"request_time": 0.05,
"status": 200,
"timestamp": "2023-03-18T15:00:00Z",
"upstream_addr": "10.0.50.80:9000",
"upstream_response_length": 19437,
"upstream_response_time": 0.049,
"upstream_status": 200
}parse_proto
fallible pureParses the
value as a protocol buffer payload.Function spec
parse_proto(value:
<string>
, desc_file:
<string>
, message_type:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The protocol buffer payload to parse. | yes | |
| desc_file | string | The path to the protobuf descriptor set file. Must be a literal string. This file is the output of protoc -o | yes | |
| message_type | string | The name of the message type to use for serializing. Must be a literal string. | yes |
Notices
This function has special behavior that you should be aware of.Only proto messages are parsed and returned.Errors
Theparse_proto function is fallible, which means that
error handling is required for these errors:value is not a valid proto payload.desc_file file does not exist.message_type message type does not exist in the descriptor file.parse_query_string
infallible pureParses the
value as a query string.Function spec
parse_query_string(value:
<string>
)
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
parse_regex
fallible pureParses the value using the provided Regex pattern.
This function differs from the parse_regex_all function in that it returns only the first match.
Function spec
parse_regex(value:
<string>
, pattern:
<regex>
,
[numeric_groups:
<regex>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| pattern | regex | The regular expression pattern to search against. | yes | |
| numeric_groups | regex | If true, the index of each group in the regular expression is also captured. Index 0
contains the whole match. | no |
Notices
This function has special behavior that you should be aware of.VRL aims to provide purpose-specific parsing functions for common log formats.
Before reaching for the
parse_regex function, see if a VRL parse_* function
already exists for your format. If not, we recommend opening an issue to request
support for the desired format.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_regex function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided pattern.parse_regex_all
fallible pureParses the value using the provided Regex pattern.
This function differs from the parse_regex function in that it returns all matches, not just the first.
Function spec
parse_regex_all(value:
<string>
, pattern:
<regex>
,
[numeric_groups:
<regex>
])
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| pattern | regex | The regular expression pattern to search against. | yes | |
| numeric_groups | regex | If true, the index of each group in the regular expression is also captured. Index 0
contains the whole match. | no |
Notices
This function has special behavior that you should be aware of.VRL aims to provide purpose-specific parsing functions for common log formats.
Before reaching for the
parse_regex function, see if a VRL parse_* function
already exists for your format. If not, we recommend opening an issue to request
support for the desired format.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_regex_all function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided pattern.parse_ruby_hash
fallible pureParses the
value as ruby hash.Function spec
parse_ruby_hash(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the ruby hash to parse. | yes |
Notices
This function has special behavior that you should be aware of.Only ruby types are returned. If you need to convert a
string into a timestamp, consider the
parse_timestamp function.Errors
Theparse_ruby_hash function is fallible, which means that
error handling is required for these errors:value is not a valid ruby hash formatted payload.parse_syslog
fallible pureParses the
value in Syslog format.Function spec
parse_syslog(value:
<string>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text containing the Syslog message to parse. | yes |
Notices
This function has special behavior that you should be aware of.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_syslog function is fallible, which means that
error handling is required for these errors:value is not a properly formatted Syslog message.Examples
Parse Syslog log (5424)
Source
parse_syslog!(
s'<13>1 2020-03-13T20:45:38.119Z dynamicwireless.name non 2426 ID931 [exampleSDID@32473 iut="3" eventSource= "Application" eventID="1011"] Try to override the THX port, maybe it will reboot the neural interface!'
)Return
{
"appname": "non",
"exampleSDID@32473": {
"eventID": "1011",
"eventSource": "Application",
"iut": "3"
},
"facility": "user",
"hostname": "dynamicwireless.name",
"message": "Try to override the THX port, maybe it will reboot the neural interface!",
"msgid": "ID931",
"procid": 2426,
"severity": "notice",
"timestamp": "2020-03-13T20:45:38.119Z",
"version": 1
}parse_timestamp
fallible pureFunction spec
parse_timestamp(value:
<string>
, format:
<string>
)
:: <timestamp>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text of the timestamp. | yes | |
| format | string | The strptime format. | yes |
Errors
Theparse_timestamp function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided format.parse_tokens
fallible pureParses the value in token format. A token is considered to be one of the following:
- A word surrounded by whitespace.
- Text delimited by double quotes:
"..". Quotes can be included in the token if they are escaped by a backslash (\). - Text delimited by square brackets:
[..]. Closing square brackets can be included in the token if they are escaped by a backslash (\).
Function spec
parse_tokens(value:
<string>
)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to tokenize. | yes |
Notices
This function has special behavior that you should be aware of.All token values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_tokens function is fallible, which means that
error handling is required for these errors:value is not a properly formatted tokenized string.parse_url
fallible pureParses the
value in URL format.Function spec
parse_url(value:
<string>
,
[default_known_ports:
<boolean>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text of the URL. | yes | |
| default_known_ports | boolean | If true and the port number is not specified in the input URL
string (or matches the default port for the scheme), it is
populated from well-known ports for the following schemes:
http, https, ws, wss, and ftp. | no |
Errors
Theparse_url function is fallible, which means that
error handling is required for these errors:value is not a properly formatted URL.Examples
Parse URL
Source
parse_url!("ftp://foo:bar@example.com:4343/foobar?hello=world#123")Return
{
"fragment": "123",
"host": "example.com",
"password": "bar",
"path": "/foobar",
"port": 4343,
"query": {
"hello": "world"
},
"scheme": "ftp",
"username": "foo"
}Parse URL with default port
Source
parse_url!("https://example.com", default_known_ports: true)Return
{
"fragment": null,
"host": "example.com",
"password": "",
"path": "/",
"port": 443,
"query": {},
"scheme": "https",
"username": ""
}parse_user_agent
infallible pureParses the
value as a user agent string, which has a loosely defined format
so this parser only provides best effort guarantee.Function spec
parse_user_agent(value:
<string>
,
[mode:
<string>
])
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| mode | string | Determines performance and reliability characteristics. | fast | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings or as null. We recommend manually coercing values to desired types as you see fit.
Different modes return different schema.
Field which were not parsed out are set as
null.Examples
Fast mode
Source
parse_user_agent(
"Mozilla Firefox 1.0.1 Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050223 Firefox/1.0.1"
)Return
{
"browser": {
"family": "Firefox",
"version": "1.0.1"
},
"device": {
"category": "pc"
},
"os": {
"family": "Linux",
"version": null
}
}Reliable mode
Source
parse_user_agent(
"Mozilla/4.0 (compatible; MSIE 7.66; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
mode: "reliable"
)Return
{
"browser": {
"family": "Internet Explorer",
"version": "7.66"
},
"device": {
"category": "pc"
},
"os": {
"family": "Windows XP",
"version": "NT 5.1"
}
}Enriched mode
Source
parse_user_agent(
"Opera/9.80 (J2ME/MIDP; Opera Mini/4.3.24214; iPhone; CPU iPhone OS 4_2_1 like Mac OS X; AppleWebKit/24.783; U; en) Presto/2.5.25 Version/10.54",
mode: "enriched"
)Return
{
"browser": {
"family": "Opera Mini",
"major": "4",
"minor": "3",
"patch": "24214",
"version": "10.54"
},
"device": {
"brand": "Apple",
"category": "smartphone",
"family": "iPhone",
"model": "iPhone"
},
"os": {
"family": "iOS",
"major": "4",
"minor": "2",
"patch": "1",
"patch_minor": null,
"version": "4.2.1"
}
}parse_xml
fallible pureParses the
value as XML.Function spec
parse_xml(value:
<string>
,
[include_attr:
<boolean>
, attr_prefix:
<string>
, text_key:
<string>
, always_use_text_key:
<boolean>
, parse_bool:
<boolean>
, parse_null:
<boolean>
, parse_number:
<boolean>
])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the XML document to parse. | yes | |
| include_attr | boolean | Include XML tag attributes in the returned object. | true | no |
| attr_prefix | string | String prefix to use for XML tag attribute keys. | @ | no |
| text_key | string | Key name to use for expanded text nodes. | text | no |
| always_use_text_key | boolean | Always return text nodes as {"<text_key>": "value"}. | no | |
| parse_bool | boolean | Parse “true” and “false” as boolean. | true | no |
| parse_null | boolean | Parse “null” as null. | true | no |
| parse_number | boolean | Parse numbers as integers/floats. | true | no |
Notices
This function has special behavior that you should be aware of.Valid XML must contain exactly one root node. Always returns an object.
Errors
Theparse_xml function is fallible, which means that
error handling is required for these errors:value is not a valid XML document.Examples
Parse XML
Source
value = s'<book category="CHILDREN"><title lang="en">Harry Potter</title><author>J K. Rowling</author><year>2005</year></book>';
parse_xml!(value, text_key: "value", parse_number: false)Return
{
"book": {
"@category": "CHILDREN",
"author": "J K. Rowling",
"title": {
"@lang": "en",
"value": "Harry Potter"
},
"year": "2005"
}
}Random functions
random_bool
infallible pureReturns a random boolean.
random_bytes
fallible pureA cryptographically secure random number generator. Returns a string value containing the number of
random bytes requested.
Function spec
random_bytes(length:
<integer>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| length | integer | The number of bytes to generate. Must not be larger than 64k. | yes |
Errors
Therandom_bytes function is fallible, which means that
error handling is required for these errors:length is negative.length is larger than the maximum value (64k).random_float
fallible pureReturns a random float between [min, max).
Function spec
random_float(min:
<float>
, max:
<float>
)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| min | float | Minimum value (inclusive). | yes | |
| max | float | Maximum value (exclusive). | yes |
Errors
Therandom_float function is fallible, which means that
error handling is required for these errors:max is not greater than min.random_int
fallible pureReturns a random integer between [min, max).
Function spec
random_int(min:
<integer>
, max:
<integer>
)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| min | integer | Minimum value (inclusive). | yes | |
| max | integer | Maximum value (exclusive). | yes |
Errors
Therandom_int function is fallible, which means that
error handling is required for these errors:max is not greater than min.uuid_from_friendly_id
fallible pureConvert a Friendly ID (base62 encoding a 128-bit word) to a UUID.
Function spec
uuid_from_friendly_id(value:
<timestamp>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | timestamp | A string that is a Friendly ID | yes |
Errors
Theuuid_from_friendly_id function is fallible, which means that
error handling is required for these errors:value is a string but the text uses characters outside of class [0-9A-Za-z].value is a base62 encoding of an integer, but the integer is greater than or equal to 2^128.uuid_v4
infallible pureGenerates a random UUIDv4 string.
uuid_v7
infallible pureGenerates a random UUIDv7 string.
String functions
camelcase
infallible pureTakes the
value string, and turns it into camelCase. Optionally, you can
pass in the existing case of the function, or else an attempt is made to determine the case automatically.Function spec
camelcase(value:
<string>
,
[original_case:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to convert to camelCase. | yes | |
| original_case | string | Optional hint on the original case type. Must be one of: kebab-case, camelCase, PascalCase, SCREAMING_SNAKE, snake_case | no |
community_id
infallible pureGenerates an ID based on the Community ID Spec.
Function spec
community_id(source_ip:
<string>
, destination_ip:
<string>
, protocol:
<integer>
,
[source_port:
<integer>
, destination_port:
<integer>
, seed:
<integer>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| source_ip | string | The source IP address. | yes | |
| destination_ip | string | The destination IP address. | yes | |
| protocol | integer | The protocol number. | yes | |
| source_port | integer | The source port or ICMP type. | no | |
| destination_port | integer | The destination port or ICMP code. | no | |
| seed | integer | The custom seed number. | no |
contains
infallible pureDetermines whether the
value string contains the specified substring.Function spec
contains(value:
<string>
, substring:
<string>
,
[case_sensitive:
<boolean>
])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text to search. | yes | |
| substring | string | The substring to search for in value. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | true | no |
contains_all
infallible pureDetermines whether the
value string contains all the specified substrings.Function spec
contains_all(value:
<string>
, substrings:
<array>
,
[case_sensitive:
<boolean>
])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text to search. | yes | |
| substrings | array | An array of substrings to search for in value. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | no |
downcase
infallible pureDowncases the
value string, where downcase is defined according to the
Unicode Derived Core Property Lowercase.ends_with
infallible pureDetermines whether the
value string ends with the specified substring.Function spec
ends_with(value:
<string>
, substring:
<string>
,
[case_sensitive:
<boolean>
])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| substring | string | The substring with which value must end. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | true | no |
find
infallible pureDetermines from left to right the start position of the first found element in
value
that matches pattern. Returns -1 if not found.Function spec
find(value:
<string>
, pattern:
<regex | string>
,
[from:
<integer>
])
:: <integer>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to find the pattern in. | yes | |
| pattern | regex string | The regular expression or string pattern to match against. | yes | |
| from | integer | Offset to start searching. | no |
join
infallible pureJoins each string in the
value array into a single string, with items optionally separated from one another
by a separator.kebabcase
infallible pureTakes the
value string, and turns it into kebab-case. Optionally, you can
pass in the existing case of the function, or else we will try to figure out the case automatically.Function spec
kebabcase(value:
<string>
,
[original_case:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to convert to kebab-case. | yes | |
| original_case | string | Optional hint on the original case type. Must be one of: kebab-case, camelCase, PascalCase, SCREAMING_SNAKE, snake_case | no |
match
infallible pureDetermines whether the
value matches the pattern.match_any
infallible pureDetermines whether
value matches any of the given patterns. All
patterns are checked in a single pass over the target string, giving this
function a potential performance advantage over the multiple calls
in the match function.parse_float
infallible pureParses the string
value representing a floating point number in base 10 to a float.pascalcase
infallible pureTakes the
value string, and turns it into PascalCase. Optionally, you can
pass in the existing case of the function, or else we will try to figure out the case automatically.Function spec
pascalcase(value:
<string>
,
[original_case:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to convert to PascalCase. | yes | |
| original_case | string | Optional hint on the original case type. Must be one of: kebab-case, camelCase, PascalCase, SCREAMING_SNAKE, snake_case | no |
redact
infallible pureRedact sensitive data in value such as:
- US social security card numbers
- Other forms of personally identifiable information with custom patterns
This can help achieve compliance by ensuring sensitive data does not leave your network.
Function spec
redact(value:
<string | object | array>
, filters:
<array>
,
[redactor:
<string | object>
])
:: <string | object | array>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string object array | The value to redact sensitive data from. The function’s behavior depends on
For arrays and objects, the function recurses into any nested arrays or objects. Any non-string elements are skipped. Redacted text is replaced with | yes | |
| filters | array | List of filters applied to Each filter can be specified in the following ways:
Named filters can be a:
See examples for more details. This parameter must be a static expression so that the argument can be validated at compile-time to avoid runtime errors. You cannot use variables or other dynamic expressions with it. | yes | |
| redactor | string object | Specifies what to replace the redacted strings with. It is given as an object with a “type” key specifying the type of redactor to use and additional keys depending on the type. The following types are supported:
As a convenience you can use a string as a shorthand for common redactor patterns:
This parameter must be a static expression so that the argument can be validated at compile-time to avoid runtime errors. You cannot use variables or other dynamic expressions with it. | no |
Examples
Replace text using a regex
Source
redact("my id is 123456", filters: [r'\d+'])Return
my id is [REDACTED]Replace us social security numbers in any field
Source
redact({ "name": "John Doe", "ssn": "123-12-1234"}, filters: ["us_social_security_number"])Return
{
"name": "John Doe",
"ssn": "[REDACTED]"
}Replace with custom text
Source
redact("my id is 123456", filters: [r'\d+'], redactor: {"type": "text", "replacement": "***"})Return
my id is ***Replace with SHA-2 hash
Source
redact("my id is 123456", filters: [r'\d+'], redactor: "sha2")Return
my id is GEtTedW1p6tC094dDKH+3B8P+xSnZz69AmpjaXRd63I=replace
infallible pureReplaces all matching instances of pattern in value.
The pattern argument accepts regular expression capture groups.
Note when using capture groups:
- You will need to escape the
$by using$$to avoid Vector interpreting it as an environment variable when loading configuration - If you want a literal
$in the replacement pattern, you will also need to escape this with$$. When combined with environment variable interpolation in config files this means you will need to use$$$$to have a literal$in the replacement pattern.
Function spec
replace(value:
<string>
, pattern:
<regex | string>
, with:
<string>
,
[count:
<integer>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The original string. | yes | |
| pattern | regex string | Replace all matches of this pattern. Can be a static string or a regular expression. | yes | |
| with | string | The string that the matches are replaced with. | yes | |
| count | integer | The maximum number of replacements to perform. -1 means replace all matches. | -1 | no |
replace_with
infallible pureReplaces all matching instances of pattern using a closure.
The pattern argument accepts a regular expression that can use capture groups.
The function uses the function closure syntax to compute the replacement values.
The closure takes a single parameter, which is an array, where the first item is always
present and contains the entire string that matched pattern. The items from index one on
contain the capture groups of the corresponding index. If a capture group is optional, the
value may be null if it didn’t match.
The value returned by the closure must be a string and will replace the section of the input that was matched.
This returns a new string with the replacements, the original string is not mutated.
Function spec
replace_with(value:
<string>
, pattern:
<regex>
,
[count:
<integer>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The original string. | yes | |
| pattern | regex | Replace all matches of this pattern. Must be a regular expression. | yes | |
| count | integer | The maximum number of replacements to perform. -1 means replace all matches. | -1 | no |
Examples
Capitalize words
Source
replace_with("apples and bananas", r'\b(\w)(\w*)') -> |match| {
upcase!(match.captures[0]) + string!(match.captures[1])
}Return
Apples And BananasReplace with hash
Source
replace_with("email from test@example.com", r'\w+@example.com') -> |match| {
sha2(match.string, variant: "SHA-512/224")
}Return
email from adf6e1bc4415d24912bd93072ad34ef825a7b6eb3bf53f68def1fc17screamingsnakecase
infallible pureTakes the
value string, and turns it into SCREAMING_SNAKE case. Optionally, you can
pass in the existing case of the function, or else we will try to figure out the case automatically.Function spec
screamingsnakecase(value:
<string>
,
[original_case:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to convert to SCREAMING_SNAKE case. | yes | |
| original_case | string | Optional hint on the original case type. Must be one of: kebab-case, camelCase, PascalCase, SCREAMING_SNAKE, snake_case | no |
sieve
infallible pureKeeps only matches of pattern in value.
This can be used to define patterns that are allowed in the string and remove everything else.
Function spec
sieve(value:
<string>
, pattern:
<regex>
,
[replace_single:
<string>
, replace_repeated:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The original string. | yes | |
| pattern | regex | Keep all matches of this pattern. | yes | |
| replace_single | string | The string to use to replace single rejected characters. | no | |
| replace_repeated | string | The string to use to replace multiple sequential instances of rejected characters. | no |
slice
infallible pureReturns a slice of value between the start and end positions.
If the start and end parameters are negative, they refer to positions counting from the right of the
string or array. If end refers to a position that is greater than the length of the string or array,
a slice up to the end of the string or array is returned.
Function spec
slice(value:
<array | string>
, start:
<integer>
,
[end:
<integer>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array string | The string or array to slice. | yes | |
| start | integer | The inclusive start position. A zero-based index that can be negative. | yes | |
| end | integer | The exclusive end position. A zero-based index that can be negative. | String length | no |
snakecase
infallible pureTakes the
value string, and turns it into snake-case. Optionally, you can
pass in the existing case of the function, or else we will try to figure out the case automatically.Function spec
snakecase(value:
<string>
,
[original_case:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to convert to snake-case. | yes | |
| original_case | string | Optional hint on the original case type. Must be one of: kebab-case, camelCase, PascalCase, SCREAMING_SNAKE, snake_case | no |
split
infallible pureSplits the
value string using pattern.Function spec
split(value:
<string>
, pattern:
<string | regex>
,
[limit:
<integer>
])
:: <array>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to split. | yes | |
| pattern | string regex | The string is split whenever this pattern is matched. | yes | |
| limit | integer | The maximum number of substrings to return. | no |
starts_with
infallible pureDetermines whether
value begins with substring.Function spec
starts_with(value:
<string>
, substring:
<string>
,
[case_sensitive:
<boolean>
])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| substring | string | The substring that the value must start with. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | true | no |
strip_ansi_escape_codes
infallible pureStrips ANSI escape codes from
value.strip_whitespace
infallible pureStrips whitespace from the start and end of
value, where whitespace is defined by the Unicode
White_Space property.truncate
infallible pureTruncates the
value string up to the limit number of characters.Function spec
truncate(value:
<string>
, limit:
<integer | float>
,
[ellipsis:
<boolean>
, suffix:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to truncate. | yes | |
| limit | integer float | The number of characters to truncate the string after. | yes | |
| ellipsis | boolean | This argument is deprecated. An ellipsis (...) is appended if the parameter is set to true and the value string
is truncated because it exceeded the limit. | no | |
| suffix | string | A custom suffix (...) is appended to truncated strings.
If ellipsis is set to true, this parameter is ignored for backwards compatibility. | no |
upcase
infallible pureUpcases
value, where upcase is defined according to the Unicode Derived Core Property
Uppercase.System functions
get_env_var
fallible pureReturns the value of the environment variable specified by
name.Function spec
get_env_var(name:
<string>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| name | string | The name of the environment variable. | yes |
Errors
Theget_env_var function is fallible, which means that
error handling is required for these errors:Environment variable
name does not exist.The value of environment variable
name is not valid Unicodeget_hostname
fallible pureReturns the local system’s hostname.
Function spec
get_hostname()
:: <string>
, <error>
required
optional
<types | ...>
Errors
Theget_hostname function is fallible, which means that
error handling is required for these errors:Internal hostname resolution failed.
get_timezone_name
fallible pureReturns the name of the timezone in the Vector configuration (see
global configuration options).
If the configuration is set to
local, then it attempts to
determine the name of the timezone from the host OS. If this
is not possible, then it returns the fixed offset of the
local timezone for the current time in the format "[+-]HH:MM",
for example, "+02:00".Function spec
get_timezone_name()
:: <string>
, <error>
required
optional
<types | ...>
Errors
Theget_timezone_name function is fallible, which means that
error handling is required for these errors:Retrieval of local timezone information failed.
Timestamp functions
format_timestamp
infallible pureFormats
value into a string representation of the timestamp.Function spec
format_timestamp(value:
<timestamp>
, format:
<string>
,
[timezone:
<string>
])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | timestamp | The timestamp to format as text. | yes | |
| format | string | The format string as described by the Chrono library. | yes | |
| timezone | string | The timezone to use when formatting the timestamp. The parameter uses the TZ identifier or local. | no |
now
infallible pureReturns the current timestamp in the UTC timezone with nanosecond precision.
Type functions
array
fallible pureReturns
value if it is an array, otherwise returns an error. This enables the type checker to guarantee that the
returned value is an array and can be used in any function that expects an array.Function spec
array(value:
<any>
)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is an array. | yes |
Errors
Thearray function is fallible, which means that
error handling is required for these errors:value is not an array.bool
fallible pureReturns
value if it is a Boolean, otherwise returns an error. This enables the type checker to guarantee that the
returned value is a Boolean and can be used in any function that expects a Boolean.Function spec
bool(value:
<any>
)
:: <boolean>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is a Boolean. | yes |
Errors
Thebool function is fallible, which means that
error handling is required for these errors:value is not a Boolean.float
fallible pureReturns
value if it is a float, otherwise returns an error. This enables the type checker to guarantee that the
returned value is a float and can be used in any function that expects a float.Function spec
float(value:
<any>
)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is a float. | yes |
Errors
Thefloat function is fallible, which means that
error handling is required for these errors:value is not a float.int
fallible pureReturns
value if it is an integer, otherwise returns an error. This enables the type checker to guarantee that the
returned value is an integer and can be used in any function that expects an integer.Function spec
int(value:
<any>
)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is an integer. | yes |
Errors
Theint function is fallible, which means that
error handling is required for these errors:value is not an integer.is_array
infallible pureCheck if the
value’s type is an array.is_boolean
infallible pureCheck if the
value’s type is a boolean.is_empty
infallible pureCheck if the object, array, or string has a length of
0.is_float
infallible pureCheck if the
value’s type is a float.is_integer
infallible pureCheck if the value`’s type is an integer.
is_json
infallible pureCheck if the string is a valid JSON document.
is_nullish
infallible pureDetermines whether
value is nullish, where nullish denotes the absence of a
meaningful value.is_object
infallible pureCheck if
value’s type is an object.is_regex
infallible pureCheck if
value’s type is a regex.is_string
infallible pureCheck if
value’s type is a string.is_timestamp
infallible pureCheck if
value’s type is a timestamp.object
fallible pureReturns
value if it is an object, otherwise returns an error. This enables the type checker to guarantee that the
returned value is an object and can be used in any function that expects an object.Function spec
object(value:
<any>
)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is an object. | yes |
Errors
Theobject function is fallible, which means that
error handling is required for these errors:value is not an object.string
fallible pureReturns
value if it is a string, otherwise returns an error. This enables the type checker to guarantee that the
returned value is a string and can be used in any function that expects a string.Function spec
string(value:
<any>
)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is a string. | yes |
Errors
Thestring function is fallible, which means that
error handling is required for these errors:value is not a string.tag_types_externally
infallible pureAdds type information to all (nested) scalar values in the provided value.
The type information is added externally, meaning that value has the form of "type": value after this
transformation.
Function spec
tag_types_externally(value:
<any>
)
:: <object | array | null>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to tag with types. | yes |
Examples
Tag types externally (object)
Source
tag_types_externally({
"message": "Hello world",
"request": {
"duration_ms": 67.9
}
})Return
{
"message": {
"string": "Hello world"
},
"request": {
"duration_ms": {
"float": 67.9
}
}
}timestamp
fallible pureReturns
value if it is a timestamp, otherwise returns an error. This enables the type checker to guarantee that
the returned value is a timestamp and can be used in any function that expects a timestamp.Function spec
timestamp(value:
<any>
)
:: <timestamp>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to check if it is a timestamp. | yes |
Errors
Thetimestamp function is fallible, which means that
error handling is required for these errors:value is not a timestamp.