VRL function reference
Here you’ll find a comprehensive list of all built-in VRL functions. Functions are categorized by their purpose and sorted alphabetically for easy discovery. To use these functions in Vector, see the documentation on function call expressions and Vector’s remap transform.
Array functions
Codec functions
decode_base64
fallibleDecodes the
value (a Base64 string) into its original string.Function spec
decode_base64(value:
<string>,
[charset:
<string>])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Base64 data to decode. | yes | |
| charset | string | The character set to use when decoding the data. | standard | no |
Errors
Thedecode_base64 function is fallible, which means that
error handling is required for these errors:value isn’t a valid encoded Base64 string.decode_percent
infallibleDecodes a percent-encoded
value like a URL.encode_base64
infallibleEncodes the
value to Base64.Function spec
encode_base64(value:
<string>,
[padding:
<boolean>, charset:
<string>])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to encode. | yes | |
| padding | boolean | Whether the Base64 output is padded. | true | no |
| charset | string | The character set to use when encoding the data. | standard | no |
encode_json
infallibleEncodes the
value to JSON.encode_key_value
fallibleEncodes the
value to in key/value format with customizable delimiters. Default delimiters match
the logfmt format.Function spec
encode_key_value(value:
<object>,
[fields_ordering:
<array>, key_value_delimiter:
<string>, field_delimiter:
<string>, flatten_boolean:
<boolean>])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object | The value to convert to a string. | yes | |
| fields_ordering | array | The ordering of fields to preserve. Any fields not in this list will appear unordered, after any ordered fields. | no | |
| key_value_delimiter | string | The string that separates the key from the value. | = | no |
| field_delimiter | string | The string that separates each key/value pair. | | no |
| flatten_boolean | boolean | Whether to encode key/value with a boolean value as a standalone key if true and nothing if false. | no |
Notices
This function has special behavior that you should be aware of.If
fields_ordering is specified then the function is fallible else it is infallible.Errors
Theencode_key_value function is fallible, which means that
error handling is required for these errors:fields_ordering contains a non-string elementExamples
Encode with default delimiters (no ordering)
Source
encode_key_value({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info"})Return
lvl=info msg="This is a message" ts=2021-06-05T17:20:00ZEncode with default delimiters (fields ordering)
Source
encode_key_value!({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info", "log_id": 12345}, ["ts", "lvl", "msg"])Return
ts=2021-06-05T17:20:00Z lvl=info msg="This is a message" log_id=12345Encode with default delimiters (nested fields)
Source
encode_key_value({"agent": {"name": "vector"}, "log": {"file": {"path": "my.log"}}, "event": "log"})Return
agent.name=vector event=log log.file.path=my.logEncode with default delimiters (nested fields ordering)
Source
encode_key_value!({"agent": {"name": "vector"}, "log": {"file": {"path": "my.log"}}, "event": "log"}, ["event", "log.file.path", "agent.name"])Return
event=log log.file.path=my.log agent.name=vectorEncode with custom delimiters (no ordering)
Source
encode_key_value(
{"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info"},
field_delimiter: ",",
key_value_delimiter: ":"
)Return
lvl:info,msg:"This is a message",ts:2021-06-05T17:20:00ZEncode with custom delimiters and flatten boolean
Source
encode_key_value(
{"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info", "beta": true, "dropped": false},
field_delimiter: ",",
key_value_delimiter: ":",
flatten_boolean: true
)Return
beta,lvl:info,msg:"This is a message",ts:2021-06-05T17:20:00Zencode_logfmt
fallibleEncodes the
value to logfmt.Function spec
encode_logfmt(value:
<object>,
[fields_ordering:
<array>])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object | The value to convert to a logfmt string. | yes | |
| fields_ordering | array | The ordering of fields to preserve. Any fields not in this list will appear unordered, after any ordered fields. | no |
Notices
This function has special behavior that you should be aware of.If
fields_ordering is specified then the function is fallible else it is infallible.Errors
Theencode_logfmt function is fallible, which means that
error handling is required for these errors:fields_ordering contains a non-string elementExamples
Encode to logfmt (no ordering)
Source
encode_logfmt({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info"})Return
lvl=info msg="This is a message" ts=2021-06-05T17:20:00ZEncode to logfmt (fields ordering)
Source
encode_logfmt!({"ts": "2021-06-05T17:20:00Z", "msg": "This is a message", "lvl": "info", "log_id": 12345}, ["ts", "lvl", "msg"])Return
ts=2021-06-05T17:20:00Z lvl=info msg="This is a message" log_id=12345encode_percent
infallibleEncodes a
value with percent encoding to safely be used in URLs.Coerce functions
to_bool
fallibleCoerces the
value into a boolean.Function spec
to_bool(value:
<boolean |
integer |
float |
null |
string>)
:: <boolean>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | boolean integer float null string | The value to convert to a Boolean. | yes |
Errors
Theto_bool function is fallible, which means that
error handling is required for these errors:value isn’t a supported boolean representationto_float
fallibleCoerces the
value into a float.Function spec
to_float(value:
<integer |
float |
boolean |
string |
timestamp>)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float boolean string timestamp | The value to convert to a float. Must be convertible to a float, otherwise an error is raised. | yes |
Errors
Theto_float function is fallible, which means that
error handling is required for these errors:value isn’t a supported float representationto_int
fallibleCoerces the
value into an integer.Function spec
to_int(value:
<integer |
float |
boolean |
string |
timestamp>)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float boolean string timestamp | The value to convert to an integer. | yes |
Errors
Theto_int function is fallible, which means that
error handling is required for these errors:value is a string but the text is not an integervalue is not a string, int, or timestampto_regex
fallibleCoerces the
value into a regex.Function spec
to_regex(value:
<string>)
:: <regex>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The value to convert to a regex. | yes |
Notices
This function has special behavior that you should be aware of.Compiling a regular expression is an expensive operation and can limit Vector throughput. Don’t use this function unless you are absolutely sure there is no other way!
Errors
Theto_regex function is fallible, which means that
error handling is required for these errors:value is not a string.to_string
fallibleCoerces the
value into a string.Function spec
to_string(value:
<integer |
float |
boolean |
string |
timestamp |
null>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float boolean string timestamp null | The value to convert to a string. | yes |
Errors
Theto_string function is fallible, which means that
error handling is required for these errors:value is not an integer, float, boolean, string, timestamp, or nullto_timestamp
fallibleCoerces the
value into a timestamp.Function spec
to_timestamp(value:
<string |
float |
integer |
timestamp>)
:: <timestamp>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string float integer timestamp | The value that is to be converted to a timestamp. If a string, must be a valid representation of a timestamp, and no default exists, an ArgumentError will be raised. | yes |
Errors
Theto_timestamp function is fallible, which means that
error handling is required for these errors:When
value is a string, it is not a valid timestamp formatWhen
value is an int, it is not within the Unix timestamp rangeWhen
value is a float, it is not within the Unix timestamp rangeConvert functions
to_syslog_facility
fallibleConverts the
value, a Syslog facility code, into its corresponding
Syslog keyword. i.e. 0 into "kern", 1 into "user", etc.Function spec
to_syslog_facility(value:
<integer>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The facility code. | yes |
Errors
Theto_syslog_facility function is fallible, which means that
error handling is required for these errors:value isn’t a valid Syslog facility code.to_syslog_level
fallibleConverts the
value, a Syslog severity level, into its corresponding keyword,
i.e. 0 into "emerg", 1 into "alert", etc.Function spec
to_syslog_level(value:
<integer>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The severity level. | yes |
Errors
Theto_syslog_level function is fallible, which means that
error handling is required for these errors:value isn’t a valid Syslog severity level.to_syslog_severity
fallibleFunction spec
to_syslog_severity(value:
<string>)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The Syslog level keyword to convert. | yes |
Errors
Theto_syslog_severity function is fallible, which means that
error handling is required for these errors:value isn’t a valid Syslog level keywordto_unix_timestamp
infallibleConverts the value timestamp into a Unix timestamp.
Returns the number of seconds since the Unix epoch by default, but milliseconds or nanoseconds can also be
specified by unit.
Function spec
to_unix_timestamp(value:
<timestamp>,
[unit:
<string>])
:: <integer>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | timestamp | The timestamp to convert to Unix. | yes | |
| unit | string | The time unit. | seconds | no |
Debug functions
assert
fallibleAsserts the
condition, which must be a Boolean expression. The program is aborted with
message if the condition evaluates to false.Function spec
assert(condition:
<boolean>,
[message:
<string>])
:: <null>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| condition | boolean | The condition to check. | yes | |
| message | string | An optional custom error message. If the equality assertion fails, message is
appended to the default message prefix. See the examples below
for a sample fully formed log message. | no |
Notices
This function has special behavior that you should be aware of.The
assert function should be used in a standalone fashion and only when you want to abort the program. You
should avoid it in logical expressions and other situations in which you want the program to continue if the
condition evaluates to false.Errors
Theassert function is fallible, which means that
error handling is required for these errors:condition evaluates to falseassert_eq
infallibleAsserts that two expressions,
left and right, have the same value. The program is
aborted with the message if they are unequal.Function spec
assert_eq(left:
<any>, right:
<any>,
[message:
<string>])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| left | any | The value to check for equality against right. | yes | |
| right | any | The value to check for equality against left. | yes | |
| message | string | An optional custom error message. If the equality assertion fails, message is
appended to the default message prefix. See the examples
below for a sample fully formed log message. | no |
Notices
This function has special behavior that you should be aware of.The
assert_eq function should be used in a standalone fashion and only when you want to
abort the program. You should avoid it in logical expressions and other situations in which
you want the program to continue if the condition evaluates to false.log
infallibleFunction spec
log(value:
<any>,
[level:
<string>, rate_limit_secs:
<integer>])
:: <null>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to log. | yes | |
| level | string | The log level. | info | no |
| rate_limit_secs | integer | Specifies that the log message is output no more than once per the given number of seconds.
Use a value of 0 to turn rate limiting off. | 1 | no |
Enrichment functions
find_enrichment_table_records
infallibleSearches an enrichment table for rows that match the provided condition.
This condition needs to be a VRL object in which the key-value pairs indicate a field to search mapped to a value to search in that field. This function returns the rows that match the provided condition(s). All fields need to match for rows to be returned; if any fields don’t match, no rows are returned.
There are currently two forms of search criteria:
Exact match search. The given field must match the value exactly. Case sensitivity can be specified using the
case_sensitiveargument. An exact match search can use an index directly into the dataset, which should make this search fairly “cheap” from a performance perspective.Date range search. The given field must be greater than or equal to the
fromdate and less than or equal to thetodate. Note that a date range search involves sequentially scanning through the rows that have been located via any exact match criteria. This can be an expensive operation if there are many rows returned by any exact match criteria. We recommend using date ranges as the only criteria when the enrichment data set is very small.
To use this function, you need to update your Vector configuration to
include an
enrichment_tables
parameter.
Function spec
find_enrichment_table_records(table:
<string>, condition:
<object>,
[select:
<array>, case_sensitive:
<boolean>])
:: <array>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| table | string | The enrichment table to search. | yes | |
| condition | object | The condition to search on. Since the condition is used at boot time to create indices into the data, these conditions must be statically defined. | yes | |
| select | array | A subset of fields from the enrichment table to return. If not specified, all fields are returned. | no | |
| case_sensitive | boolean | Whether text fields need to match cases exactly. | true | no |
get_enrichment_table_record
fallibleSearches an enrichment table for a row that matches the provided condition. A single row must be matched. If either no rows or more than one row is found, an error is returned.
This condition needs to be a VRL object in which the key-value pairs indicate a field to search mapped to a value to search in that field. This function returns the rows that match the provided condition(s). All fields need to match for rows to be returned; if any fields don’t match, no rows are returned.
There are currently two forms of search criteria:
Exact match search. The given field must match the value exactly. Case sensitivity can be specified using the
case_sensitiveargument. An exact match search can use an index directly into the dataset, which should make this search fairly “cheap” from a performance perspective.Date range search. The given field must be greater than or equal to the
fromdate and less than or equal to thetodate. Note that a date range search involves sequentially scanning through the rows that have been located via any exact match criteria. This can be an expensive operation if there are many rows returned by any exact match criteria. We recommend using date ranges as the only criteria when the enrichment data set is very small.
To use this function, you need to update your Vector configuration to
include an
enrichment_tables
parameter.
Function spec
get_enrichment_table_record(table:
<string>, condition:
<object>,
[select:
<array>, case_sensitive:
<boolean>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| table | string | The enrichment table to search. | yes | |
| condition | object | The condition to search on. Since the condition is used at boot time to create indices into the data, these conditions must be statically defined. | yes | |
| select | array | A subset of fields from the enrichment table to return. If not specified, all fields are returned. | no | |
| case_sensitive | boolean | Should text fields match case exactly. | true | no |
Errors
Theget_enrichment_table_record function is fallible, which means that
error handling is required for these errors:The row isn’t found
Multiple rows are found that match the condition
Enumerate functions
compact
infallibleCompacts the
value by removing “empty” values, where emptiness is defined using the
available parameters.Function spec
compact(value:
<array |
object>,
[recursive:
<boolean>, null:
<boolean>, string:
<boolean>, object:
<boolean>, array:
<boolean>, nullish:
<boolean>])
:: <array | object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array object | The object or array to compact. | yes | |
| recursive | boolean | Whether the compaction be recursive. | true | no |
| null | boolean | Whether null should be treated as an empty value. | true | no |
| string | boolean | Whether an empty string should be treated as an empty value. | true | no |
| object | boolean | Whether an empty object should be treated as an empty value. | true | no |
| array | boolean | Whether an empty array should be treated as an empty value. | true | no |
| nullish | boolean | Tests whether the value is “nullish” as defined by the is_nullish function. | no |
flatten
infallibleFlattens the
value into a single-level representation.includes
infallibleDetermines whether the
value array includes the specified item.length
infallibleReturns the length of the
value.Function spec
length(value:
<array |
object |
string>)
:: <integer>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array object string | The array or object | yes |
match_array
infallibleDetermines whether the elements in the
value array matches the pattern - by default it checks at least one element matches, but can be set to determine if all the elements match.Function spec
match_array(value:
<array>, pattern:
<regex>,
[all:
<boolean>])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array | The array. | yes | |
| pattern | regex | The regular expression pattern to match against. | yes | |
| all | boolean | Whether to match on all elements of value. | no |
unique
infallibleReturns unique values for an array.
The first occurrence of each element is kept.
Event functions
get_metadata_field
infallibleReturns the value of the given field from the event metadata.
remove_metadata_field
infallibleRemoves the value of the given field from the event metadata.
set_metadata_field
infallibleSets the given field in the event metadata to the provided value.
Path functions
del
infallibleRemoves the field specified by the static path from the target.
For dynamic path deletion, see the remove function.
Function spec
del(path:
<path>)
:: <any>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| path | path | The path of the field to delete. | yes |
exists
infallibleChecks whether the path exists for the target.
This function allows you to distinguish between a missing path,
or a path with a null value, something a regular path lookup
such as .foo would not allow, since that always returns null
if the path doesn’t exist.
get
fallibleDynamically get the value of a given path.
When you know the path you want to look up, you should use
static paths such as .foo.bar[1] to get the value of that
path. However, when you don’t know the path names in advance,
you can use this dynamic get function to get at the requested
value.
Function spec
get(value:
<object |
array>, path:
<array>)
:: <any>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object array | The object or array to query. | yes | |
| path | array | An array of path segments to look up the value for. | yes |
Errors
Theget function is fallible, which means that
error handling is required for these errors:path segment must be either “string” or “integer”
remove
fallibleDynamically remove the value for a given path.
When you know the path you want to remove, you should use
the del function and static paths such as del(.foo.bar[1])
to remove the value at that path. The del function returns the
deleted value, and is more performant than this function.
However, when you don’t know the path names in advance, you can
use this dynamic remove function to remove the value at the
provided path.
Function spec
remove(value:
<object |
array>, path:
<array>,
[compact:
<boolean>])
:: <object | array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object array | The object or array to remove data from. | yes | |
| path | array | An array of path segments to remove the value at. | yes | |
| compact | boolean | Whether — after deletion — empty objects or arrays should be removed. | no |
Errors
Theremove function is fallible, which means that
error handling is required for these errors:path segment must be either “string” or “integer”
set
fallibleDynamically insert data into the path of a given object or array.
When you know the path you want to assign a value to, you should
use static path assignments such as .foo.bar[1] = true for
improved performance and readability. However, when you don’t
know the path names in advance, you can use this dynamic
insertion function to insert the data into the object or array.
Function spec
set(value:
<object |
array>, path:
<array>, data:
<any>)
:: <object | array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | object array | The object or array to insert data into. | yes | |
| path | array | An array of path segments to insert the value to. | yes | |
| data | any | The data to be inserted. | yes |
Errors
Theset function is fallible, which means that
error handling is required for these errors:path segment must be either “string” or “integer”
Hash functions
md5
infallibleCalculates an md5 hash of the
value.sha2
infallibleCalculates a SHA-2 hash of the
value.IP functions
ip_aton
fallibleConverts IPv4 address in numbers-and-dots notation into network-order bytes represented as an integer.
This behavior mimics inet_aton.
Function spec
ip_aton(value:
<string>)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The IP address to convert to binary. | yes |
Errors
Theip_aton function is fallible, which means that
error handling is required for these errors:value isn’t a valid IPv4 addressip_cidr_contains
fallibleDetermines whether the
ip is contained in the block referenced by the cidr.Function spec
ip_cidr_contains(cidr:
<string>, ip:
<string>)
:: <boolean>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| cidr | string | The CIDR mask (v4 or v6). | yes | |
| ip | string | The IP address (v4 or v6). | yes |
Errors
Theip_cidr_contains function is fallible, which means that
error handling is required for these errors:cidr isn’t a valid CIDRip isn’t a valid IP addressip_ntoa
fallibleConverts numeric representation of IPv4 address in network-order bytes to numbers-and-dots notation..
This behavior mimics inet_ntoa.
Function spec
ip_ntoa(value:
<string>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The integer representation of an IPv4 address. | yes |
Errors
Theip_ntoa function is fallible, which means that
error handling is required for these errors:value cannot fit in u32ip_subnet
fallibleExtracts the subnet address from the
ip using the supplied subnet.Function spec
ip_subnet(ip:
<string>, subnet:
<string>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ip | string | The IP address (v4 or v6). | yes | |
| subnet | string | The subnet to extract from the IP address. This can be either a prefix length like /8 or a net mask
like 255.255.0.0. The net mask can be either an IPv4 or IPv6 address. | yes |
Notices
This function has special behavior that you should be aware of.Works with both IPv4 and IPv6 addresses. The IP version for the mask must be the same as the supplied
address.
Errors
Theip_subnet function is fallible, which means that
error handling is required for these errors:ip isn’t a valid IP addresssubnet isn’t a valid subnet.ip_to_ipv6
fallibleConverts the
ip to an IPv6 address.Function spec
ip_to_ipv6(ip:
<string>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ip | string | The IP address to convert to IPv6. | yes |
Errors
Theip_to_ipv6 function is fallible, which means that
error handling is required for these errors:ip isn’t a valid IP addressipv6_to_ipv4
fallibleConverts the
ip to an IPv4 address. ip is returned unchanged if it’s already an IPv4 address. If ip is
currently an IPv6 address then it needs to be IPv4 compatible, otherwise an error is thrown.Function spec
ipv6_to_ipv4(ip:
<string>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| ip | string | The IPv4-mapped IPv6 address to convert. | yes |
Errors
Theipv6_to_ipv4 function is fallible, which means that
error handling is required for these errors:ip isn’t a valid IP addressip is an IPv6 address that isn’t compatible with IPv4Number functions
ceil
infallibleRounds the
value up to the specified precision.floor
infallibleRounds the
value down to the specified precision.format_int
fallibleFormats the integer
value into a string representation using the given base/radix.Function spec
format_int(value:
<integer>,
[base:
<integer>])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer | The number to format. | yes | |
| base | integer | The base to format the number in. Must be between 2 and 36 (inclusive). | 10 | no |
Errors
Theformat_int function is fallible, which means that
error handling is required for these errors:base is not between 2 and 36
format_number
infallibleFormats the
value into a string representation of the number.Function spec
format_number(value:
<integer |
float>,
[scale:
<integer>, decimal_separator:
<string>, grouping_separator:
<string>])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | integer float | The number to format as a string. | yes | |
| scale | integer | The number of decimal places to display. | no | |
| decimal_separator | string | The character to use between the whole and decimal parts of the number. | . | no |
| grouping_separator | string | The character to use between each thousands part of the number. | , | no |
round
infallibleRounds the
value to the specified precision.Object functions
match_datadog_query
infallibleMatches an object against a Datadog Search Syntax query.
merge
infallibleMerges the
from object into the to object.Function spec
merge(to:
<string>, from:
<object>,
[deep:
<boolean>])
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| to | string | The object to merge into. | yes | |
| from | object | The object to merge from. | yes | |
| deep | boolean | A deep merge is performed if true, otherwise only top-level fields are merged. | no |
unnest
fallibleUnnest an array field from an object to create an array of objects using that field; keeping all other fields.
Assigning the array result of this to . will result in multiple events being emitted from remap. See the
remap transform docs for more details.
This is also referred to as explodeing in some languages.
Function spec
unnest(path:
<path>)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| path | path | The path of the field to unnest. | yes |
Errors
Theunnest function is fallible, which means that
error handling is required for these errors:Field path refers to is not an array
Parse functions
parse_apache_log
fallibleParses Apache access and error log lines. Lines can be in
common,
combined, or default error format.Function spec
parse_apache_log(value:
<string>, format:
<string>,
[timestamp_format:
<string>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| format | string | The format to use for parsing the log. | yes | |
| timestamp_format | string | The date/time format to use for encoding the timestamp. The time is parsed in local time if the timestamp doesn’t specify a timezone. | %d/%b/%Y:%T %z | no |
Notices
This function has special behavior that you should be aware of.Missing information in the log message may be indicated by
-. These fields are omitted in the result.Errors
Theparse_apache_log function is fallible, which means that
error handling is required for these errors:value doesn’t match the specified formattimestamp_format isn’t a valid format stringThe timestamp in
value fails to parse using the provided timestamp_formatExamples
Parse via Apache log format (common)
Source
parse_apache_log!("127.0.0.1 bob frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", format: "common")Return
{
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}Parse via Apache log format (combined)
Source
parse_apache_log!(
s'127.0.0.1 bob frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.seniorinfomediaries.com/vertical/channels/front-end/bandwidth" "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/1945-10-12 Firefox/37.0"',
"combined",
)Return
{
"agent": "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/1945-10-12 Firefox/37.0",
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"referrer": "http://www.seniorinfomediaries.com/vertical/channels/front-end/bandwidth",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}Parse via Apache log format (error)
Source
parse_apache_log!(
s'[01/Mar/2021:12:00:19 +0000] [ab:alert] [pid 4803:tid 3814] [client 147.159.108.175:24259] I will bypass the haptic COM bandwidth, that should matrix the CSS driver!',
"error"
)Return
{
"client": "147.159.108.175",
"message": "I will bypass the haptic COM bandwidth, that should matrix the CSS driver!",
"module": "ab",
"pid": 4803,
"port": 24259,
"severity": "alert",
"thread": "3814",
"timestamp": "2021-03-01T12:00:19Z"
}parse_aws_alb_log
fallibleParses
value in the Elastic Load Balancer Access format.Function spec
parse_aws_alb_log(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | Access log of the Application Load Balancer. | yes |
Errors
Theparse_aws_alb_log function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted AWS ALB logExamples
Parse AWS ALB log
Source
parse_aws_alb_log!(
"http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - 0.000 0.001 0.000 200 200 34 366 \"GET http://www.example.com:80/ HTTP/1.1\" \"curl/7.46.0\" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \"Root=1-58337364-23a8c76965a2ef7629b185e3\" \"-\" \"-\" 0 2018-11-30T22:22:48.364000Z \"forward\" \"-\" \"-\" \"-\" \"-\" \"-\" \"-\""
)Return
{
"actions_executed": "forward",
"chosen_cert_arn": null,
"classification": null,
"classification_reason": null,
"client_host": "192.168.131.39:2817",
"domain_name": null,
"elb": "app/my-loadbalancer/50dc6c495c0c9188",
"elb_status_code": "200",
"error_reason": null,
"matched_rule_priority": "0",
"received_bytes": 34,
"redirect_url": null,
"request_creation_time": "2018-11-30T22:22:48.364000Z",
"request_method": "GET",
"request_processing_time": 0,
"request_protocol": "HTTP/1.1",
"request_url": "http://www.example.com:80/",
"response_processing_time": 0,
"sent_bytes": 366,
"ssl_cipher": null,
"ssl_protocol": null,
"target_group_arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067",
"target_host": null,
"target_port_list": [],
"target_processing_time": 0.001,
"target_status_code": "200",
"target_status_code_list": [],
"timestamp": "2018-11-30T22:23:00.186641Z",
"trace_id": "Root=1-58337364-23a8c76965a2ef7629b185e3",
"type": "http",
"user_agent": "curl/7.46.0"
}parse_aws_cloudwatch_log_subscription_message
fallibleParses AWS CloudWatch Logs events (configured through AWS Cloudwatch subscriptions) from the
aws_kinesis_firehose source.Function spec
parse_aws_cloudwatch_log_subscription_message(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the message to parse. | yes |
Errors
Theparse_aws_cloudwatch_log_subscription_message function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted AWS Cloudwatch Log subscription messageExamples
Parse AWS Cloudwatch Log subscription message
Source
parse_aws_cloudwatch_log_subscription_message!(.message)Return
{
"log_events": [
{
"id": "35683658089614582423604394983260738922885519999578275840",
"message": "{\"bytes\":26780,\"datetime\":\"14/Sep/2020:11:45:41 -0400\",\"host\":\"157.130.216.193\",\"method\":\"PUT\",\"protocol\":\"HTTP/1.0\",\"referer\":\"https://www.principalcross-platform.io/markets/ubiquitous\",\"request\":\"/expedite/convergence\",\"source_type\":\"stdin\",\"status\":301,\"user-identifier\":\"-\"}",
"timestamp": "2020-09-14T19:09:29.039Z"
}
],
"log_group": "test",
"log_stream": "test",
"message_type": "DATA_MESSAGE",
"owner": "111111111111",
"subscription_filters": [
"Destination"
]
}parse_aws_vpc_flow_log
fallibleParses
value in the VPC Flow Logs format.Function spec
parse_aws_vpc_flow_log(value:
<string>,
[format:
<string>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | VPC Flow Log. | yes | |
| format | string | VPC Flow Log format. | no |
Errors
Theparse_aws_vpc_flow_log function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted AWS VPC Flow logExamples
Parse AWS VPC Flow log (default format)
Source
parse_aws_vpc_flow_log!("2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA")Return
{
"account_id": 123456789010,
"action": null,
"bytes": null,
"dstaddr": null,
"dstport": null,
"end": 1431280934,
"interface_id": "eni-1235b8ca123456789",
"log_status": "NODATA",
"packets": null,
"protocol": null,
"srcaddr": null,
"srcport": null,
"start": 1431280876,
"version": 2
}Parse AWS VPC Flow log (custom format)
Source
parse_aws_vpc_flow_log!(
"- eni-1235b8ca123456789 10.0.1.5 10.0.0.220 10.0.1.5 203.0.113.5",
"instance_id interface_id srcaddr dstaddr pkt_srcaddr pkt_dstaddr"
)Return
{
"dstaddr": "10.0.0.220",
"instance_id": null,
"interface_id": "eni-1235b8ca123456789",
"pkt_dstaddr": "203.0.113.5",
"pkt_srcaddr": "10.0.1.5",
"srcaddr": "10.0.1.5"
}parse_common_log
fallibleParses the
value using the Common Log Format (CLF).Function spec
parse_common_log(value:
<string>,
[timestamp_format:
<string>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| timestamp_format | string | The date/time format to use for encoding the timestamp. | %d/%b/%Y:%T %z | no |
Notices
This function has special behavior that you should be aware of.Missing information in the log message may be indicated by
-. These fields are omitted in the result.Errors
Theparse_common_log function is fallible, which means that
error handling is required for these errors:value doesn’t match the Common Log Formattimestamp_format isn’t a valid format stringThe timestamp in
value fails to parse using the provided timestamp_formatExamples
Parse via Common Log Format (with default timestamp format)
Source
parse_common_log!("127.0.0.1 bob frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326")Return
{
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}Parse via Common Log Format (with custom timestamp format)
Source
parse_common_log!(
"127.0.0.1 bob frank [2000-10-10T20:55:36Z] \"GET /apache_pb.gif HTTP/1.0\" 200 2326",
"%+"
)Return
{
"host": "127.0.0.1",
"identity": "bob",
"message": "GET /apache_pb.gif HTTP/1.0",
"method": "GET",
"path": "/apache_pb.gif",
"protocol": "HTTP/1.0",
"size": 2326,
"status": 200,
"timestamp": "2000-10-10T20:55:36Z",
"user": "frank"
}parse_csv
fallibleParses a single CSV formatted row. Only the first row is parsed in case of multiline input value.
Function spec
parse_csv(value:
<string>,
[delimiter:
<string>])
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| delimiter | string | The field delimiter to use when parsing. Must be a single-byte utf8 character. | , | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_csv function is fallible, which means that
error handling is required for these errors:delimiter must be a single-byte utf8 character
value isn’t a valid CSV stringparse_duration
fallibleParses the
value into a human-readable duration format specified by unit.Function spec
parse_duration(value:
<string>, unit:
<string>)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string of the duration. | yes | |
| unit | string | The output units for the duration. | yes |
Errors
Theparse_duration function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted durationparse_glog
fallibleParses the
value using the glog (Google Logging Library) format.Function spec
parse_glog(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
Errors
Theparse_glog function is fallible, which means that
error handling is required for these errors:value doesn’t match the glog formatparse_grok
fallibleFunction spec
parse_grok(value:
<string>, pattern:
<string>,
[remove_empty:
<boolean>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| pattern | string | The Grok pattern. | yes | |
| remove_empty | boolean | If set to true, any patterns that resolve to an empty value are removed from the result. | true | no |
Notices
This function has special behavior that you should be aware of.We recommend using community-maintained Grok patterns when possible, as they’re more likely to be properly
vetted and improved over time than bespoke patterns.
Errors
Theparse_grok function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided patternparse_groks
fallibleFunction spec
parse_groks(value:
<string>, patterns:
<array>,
[remove_empty:
<boolean>, aliases:
<object>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| patterns | array | The Grok patterns, which are tried in order until the first match. | yes | |
| remove_empty | boolean | If set to true, any patterns that resolve to an empty string are removed from the result. | true | no |
| aliases | object | The shared set of grok aliases that can be referenced in the patterns to simplify them. | true | no |
Notices
This function has special behavior that you should be aware of.We recommend using community-maintained Grok patterns when possible, as they’re more likely to be properly
vetted and improved over time than bespoke patterns.
Errors
Theparse_groks function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided patternExamples
Parse using multiple Grok patterns
Source
parse_groks!(
"2020-10-02T23:22:12.223222Z info Hello world",
patterns: [
"%{common_prefix} %{_status} %{_message}",
"%{common_prefix} %{_message}",
],
aliases: {
"common_prefix": "%{_timestamp} %{_loglevel}",
"_timestamp": "%{TIMESTAMP_ISO8601:timestamp}",
"_loglevel": "%{LOGLEVEL:level}",
"_status": "%{POSINT:status}",
"_message": "%{GREEDYDATA:message}"
}
)Return
{
"level": "info",
"message": "Hello world",
"timestamp": "2020-10-02T23:22:12.223222Z"
}parse_int
fallibleParses the string
value representing a number in an optional base/radix to an integer.Function spec
parse_int(value:
<string>,
[base:
<integer>])
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| base | integer | The base the number is in. Must be between 2 and 36 (inclusive). If unspecified, will use the string prefix to try to determine the base: “0b”, 8 for “0” or “0o”, 16 for “0x”, and 10 otherwise | no |
Errors
Theparse_int function is fallible, which means that
error handling is required for these errors:base is not between 2 and 36
number cannot be parsed in the base
parse_json
fallibleParses the
value as JSON.Function spec
parse_json(value:
<string>)
:: <boolean | integer | float | string | object | array | null>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the JSON to parse. | yes |
Notices
This function has special behavior that you should be aware of.Only JSON types are returned. If you need to convert a
string into a timestamp, consider the
parse_timestamp function.Errors
Theparse_json function is fallible, which means that
error handling is required for these errors:value isn’t a valid JSON-formatted payloadparse_key_value
fallibleParses the value in key/value format. Also known as logfmt.
- Keys and values can be wrapped with
". "characters can be escaped using\.
Function spec
parse_key_value(value:
<string>,
[key_value_delimiter:
<string>, field_delimiter:
<string>, whitespace:
<string>, accept_standalone_key:
<boolean>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| key_value_delimiter | string | The string that separates the key from the value. | = | no |
| field_delimiter | string | The string that separates each key/value pair. | | no |
| whitespace | string | Defines the acceptance of unnecessary whitespace surrounding the configured key_value_delimiter. | lenient | no |
| accept_standalone_key | boolean | Whether a standalone key should be accepted, the resulting object will associate such keys with boolean value true | true | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_key_value function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted key/value stringExamples
Parse logfmt log
Source
parse_key_value!(
"@timestamp=\"Sun Jan 10 16:47:39 EST 2021\" level=info msg=\"Stopping all fetchers\" tag#production=stopping_fetchers id=ConsumerFetcherManager-1382721708341 module=kafka.consumer.ConsumerFetcherManager"
)Return
{
"@timestamp": "Sun Jan 10 16:47:39 EST 2021",
"id": "ConsumerFetcherManager-1382721708341",
"level": "info",
"module": "kafka.consumer.ConsumerFetcherManager",
"msg": "Stopping all fetchers",
"tag#production": "stopping_fetchers"
}Parse comma delimited log
Source
parse_key_value!(
"path:\"/cart_link\", host:store.app.com, fwd: \"102.30.171.16\", dyno: web.1, connect:0ms, service:87ms, status:304, bytes:632, protocol:https",
field_delimiter: ",",
key_value_delimiter: ":"
)Return
{
"bytes": "632",
"connect": "0ms",
"dyno": "web.1",
"fwd": "102.30.171.16",
"host": "store.app.com",
"path": "/cart_link",
"protocol": "https",
"service": "87ms",
"status": "304"
}parse_klog
fallibleParses the
value using the klog format used by Kubernetes components.Function spec
parse_klog(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
Errors
Theparse_klog function is fallible, which means that
error handling is required for these errors:value doesn’t match the klog formatparse_linux_authorization
fallibleParses Linux authorization logs usually found under either
/var/log/auth.log (for Debian-based systems) or
/var/log/secure (for RedHat-based systems) according to Syslog format.Function spec
parse_linux_authorization(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text containing the message to parse. | yes |
Notices
This function has special behavior that you should be aware of.The function resolves the year for messages that don’t include it. If the current month is January, and the message is for
December, it will take the previous year. Otherwise, take the current year.
Errors
Theparse_linux_authorization function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted Syslog messageExamples
Parse Linux authorization event
Source
parse_linux_authorization!(
s'Mar 23 01:49:58 localhost sshd[1111]: Accepted publickey for eng from 10.1.1.1 port 8888 ssh2: RSA SHA256:foobar'
)Return
{
"appname": "sshd",
"hostname": "localhost",
"message": "Accepted publickey for eng from 10.1.1.1 port 8888 ssh2: RSA SHA256:foobar",
"procid": 1111,
"timestamp": "2021-03-23T01:49:58Z"
}parse_logfmt
fallibleParses the value in logfmt.
- Keys and values can be wrapped using the
"character. "characters can be escaped by the\character.- As per this logfmt specification, the
parse_logfmtfunction accepts standalone keys and assigns them a Boolean value oftrue.
Function spec
parse_logfmt(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
Notices
This function has special behavior that you should be aware of.If
fields_ordering is specified then the function is fallible else it is infallible.Errors
Theparse_logfmt function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted key/value stringExamples
Parse logfmt log
Source
parse_logfmt!(
"@timestamp=\"Sun Jan 10 16:47:39 EST 2021\" level=info msg=\"Stopping all fetchers\" tag#production=stopping_fetchers id=ConsumerFetcherManager-1382721708341 module=kafka.consumer.ConsumerFetcherManager"
)Return
{
"@timestamp": "Sun Jan 10 16:47:39 EST 2021",
"id": "ConsumerFetcherManager-1382721708341",
"level": "info",
"module": "kafka.consumer.ConsumerFetcherManager",
"msg": "Stopping all fetchers",
"tag#production": "stopping_fetchers"
}parse_nginx_log
fallibleFunction spec
parse_nginx_log(value:
<string>, format:
<string>,
[timestamp_format:
<string>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| format | string | The format to use for parsing the log. | yes | |
| timestamp_format | string | The date/time format to use for encoding the timestamp. The time is parsed
in local time if the timestamp doesn’t specify a timezone. The default format is %d/%b/%Y:%T %z for
combined logs and %Y/%m/%d %H:%M:%S for error logs. | %d/%b/%Y:%T %z | no |
Notices
This function has special behavior that you should be aware of.Missing information in the log message may be indicated by
-. These fields are omitted in the result.Errors
Theparse_nginx_log function is fallible, which means that
error handling is required for these errors:value doesn’t match the specified formattimestamp_format isn’t a valid format stringThe timestamp in
value fails to parse using the provided timestamp_formatExamples
Parse via Nginx log format (combined)
Source
parse_nginx_log!(
s'172.17.0.1 alice - [01/Apr/2021:12:02:31 +0000] "POST /not-found HTTP/1.1" 404 153 "http://localhost/somewhere" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" "2.75"',
"combined",
)Return
{
"agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
"client": "172.17.0.1",
"compression": "2.75",
"method": "POST",
"path": "/not-found",
"protocol": "HTTP/1.1",
"referer": "http://localhost/somewhere",
"request": "POST /not-found HTTP/1.1",
"size": 153,
"status": 404,
"timestamp": "2021-04-01T12:02:31Z",
"user": "alice"
}Parse via Nginx log format (error)
Source
parse_nginx_log!(
s'2021/04/01 13:02:31 [error] 31#31: *1 open() "/usr/share/nginx/html/not-found" failed (2: No such file or directory), client: 172.17.0.1, server: localhost, request: "POST /not-found HTTP/1.1", host: "localhost:8081"',
"error"
)Return
{
"cid": 1,
"client": "172.17.0.1",
"host": "localhost:8081",
"message": "open() \"/usr/share/nginx/html/not-found\" failed (2: No such file or directory)",
"pid": 31,
"request": "POST /not-found HTTP/1.1",
"server": "localhost",
"severity": "error",
"tid": 31,
"timestamp": "2021-04-01T13:02:31Z"
}parse_query_string
infallibleParses the
value as a query string.Function spec
parse_query_string(value:
<string>)
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes |
parse_regex
fallibleParses the value via the provided Regex pattern.
This function differs from the parse_regex_all function in that it returns only the first match.
Function spec
parse_regex(value:
<string>, pattern:
<regex>,
[numeric_groups:
<regex>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| pattern | regex | The regular expression pattern to search against. | yes | |
| numeric_groups | regex | If true, the index of each group in the regular expression is also captured. The 0th index will contain the whole match. | no |
Notices
This function has special behavior that you should be aware of.VRL aims to provide purpose-specific parsing functions for common log formats.
Before reaching for the
parse_regex function, see if a VRL parse_* function
already exists for your format. If not, we recommend opening an issue to request
support for the desired format.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_regex function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided patternparse_regex_all
fallibleParses the value via the provided Regex pattern.
This function differs from the parse_regex function in that it returns all matches, not just the first.
Function spec
parse_regex_all(value:
<string>, pattern:
<regex>,
[numeric_groups:
<regex>])
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| pattern | regex | The regular expression pattern to search against. | yes | |
| numeric_groups | regex | If true, the index of each group in the regular expression is also captured. The 0th index
contains the whole match. | no |
Notices
This function has special behavior that you should be aware of.VRL aims to provide purpose-specific parsing functions for common log formats.
Before reaching for the
parse_regex function, see if a VRL parse_* function
already exists for your format. If not, we recommend opening an issue to request
support for the desired format.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_regex_all function is fallible, which means that
error handling is required for these errors:value fails to parse via the provided patternparse_ruby_hash
fallibleParses the
value as ruby hash.Function spec
parse_ruby_hash(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the ruby hash to parse. | yes |
Notices
This function has special behavior that you should be aware of.Only ruby types are returned. If you need to convert a
string into a timestamp, consider the
parse_timestamp function.Errors
Theparse_ruby_hash function is fallible, which means that
error handling is required for these errors:value isn’t a valid ruby hash formatted payloadparse_syslog
fallibleParses the
value in Syslog format.Function spec
parse_syslog(value:
<string>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text containing the Syslog message to parse. | yes |
Notices
This function has special behavior that you should be aware of.All values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_syslog function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted Syslog messageExamples
Parse Syslog log (5424)
Source
parse_syslog!(
s'<13>1 2020-03-13T20:45:38.119Z dynamicwireless.name non 2426 ID931 [exampleSDID@32473 iut="3" eventSource= "Application" eventID="1011"] Try to override the THX port, maybe it will reboot the neural interface!'
)Return
{
"appname": "non",
"exampleSDID@32473.eventID": "1011",
"exampleSDID@32473.eventSource": "Application",
"exampleSDID@32473.iut": "3",
"facility": "user",
"hostname": "dynamicwireless.name",
"message": "Try to override the THX port, maybe it will reboot the neural interface!",
"msgid": "ID931",
"procid": 2426,
"severity": "notice",
"timestamp": "2020-03-13T20:45:38.119Z",
"version": 1
}parse_timestamp
fallibleFunction spec
parse_timestamp(value:
<string>, format:
<string>)
:: <timestamp>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text of the timestamp. | yes | |
| format | string | The strptime format. | yes |
Errors
Theparse_timestamp function is fallible, which means that
error handling is required for these errors:value fails to parse using the provided formatparse_tokens
fallibleParses the value in “token” format. A token is considered to be one of the following:
- A word surrounded by whitespace.
- Text delimited by double quotes:
"..". Quotes can be included in the token if they are escaped by a backslash (\). - Text delimited by square brackets:
[..]. Closing square brackets can be included in the token if they are escaped by a backslash (\).
Function spec
parse_tokens(value:
<string>)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to tokenize. | yes |
Notices
This function has special behavior that you should be aware of.All token values are returned as strings. We recommend manually coercing values to desired types as you see fit.
Errors
Theparse_tokens function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted tokenized stringparse_url
fallibleParses the
value in URL format.Function spec
parse_url(value:
<string>,
[default_known_ports:
<boolean>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text of the URL. | yes | |
| default_known_ports | boolean | If true and the port number is not specified in the input URL
string (or matches the default port for the scheme), it will be
populated from well-known ports for the following schemes:
http, https, ws, wss, and ftp. | no |
Errors
Theparse_url function is fallible, which means that
error handling is required for these errors:value isn’t a properly formatted URLparse_user_agent
infallibleParses the
value as a user agent string. Which has a loosely defined format
so this parser only provides best effort guarantee.Function spec
parse_user_agent(value:
<string>,
[mode:
<string>])
:: <object>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to parse. | yes | |
| mode | string | Determines performance and reliability characteristics. | fast | no |
Notices
This function has special behavior that you should be aware of.All values are returned as strings or as null. We recommend manually coercing values to desired types as you see fit.
Different modes return different schema.
Field which were not parsed out are set as
null.Examples
Fast mode
Source
parse_user_agent(
"Mozilla Firefox 1.0.1 Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.6) Gecko/20050223 Firefox/1.0.1"
)Return
{
"browser": {
"family": "Firefox",
"version": "1.0.1"
},
"device": {
"category": "pc"
},
"os": {
"family": "Linux",
"version": null
}
}Reliable mode
Source
parse_user_agent(
"Mozilla/4.0 (compatible; MSIE 7.66; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
mode: "reliable"
)Return
{
"browser": {
"family": "Internet Explorer",
"version": "7.66"
},
"device": {
"category": "pc"
},
"os": {
"family": "Windows XP",
"version": "NT 5.1"
}
}Enriched mode
Source
parse_user_agent(
"Opera/9.80 (J2ME/MIDP; Opera Mini/4.3.24214; iPhone; CPU iPhone OS 4_2_1 like Mac OS X; AppleWebKit/24.783; U; en) Presto/2.5.25 Version/10.54",
mode: "enriched"
)Return
{
"browser": {
"family": "Opera Mini",
"major": "4",
"minor": "3",
"patch": "24214",
"version": "10.54"
},
"device": {
"brand": "Apple",
"category": "smartphone",
"family": "iPhone",
"model": "iPhone"
},
"os": {
"family": "iOS",
"major": "4",
"minor": "2",
"patch": "1",
"patch_minor": null,
"version": "4.2.1"
}
}parse_xml
fallibleParses the
value as XML.Function spec
parse_xml(value:
<string>,
[include_attr:
<boolean>, attr_prefix:
<string>, text_key:
<string>, always_use_text_key:
<boolean>, parse_bool:
<boolean>, parse_null:
<boolean>, parse_number:
<boolean>])
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string representation of the XML document to parse. | yes | |
| include_attr | boolean | Include XML tag attributes in the returned object. | true | no |
| attr_prefix | string | String prefix to use for XML tag attribute keys. | @ | no |
| text_key | string | Key name to use for expanded text nodes. | text | no |
| always_use_text_key | boolean | Always return text nodes as {"<text_key>": "value"}. | no | |
| parse_bool | boolean | Parse “true” and “false” as boolean. | true | no |
| parse_null | boolean | Parse “null” as null. | true | no |
| parse_number | boolean | Parse numbers as integers/floats. | true | no |
Notices
This function has special behavior that you should be aware of.Valid XML must contain exactly one root node. Always returns an object.
Errors
Theparse_xml function is fallible, which means that
error handling is required for these errors:value isn’t a valid XML documentExamples
Parse XML
Source
value = s'<book category="CHILDREN"><title lang="en">Harry Potter</title><author>J K. Rowling</author><year>2005</year></book>';
parse_xml!(value, text_key: "value", parse_number: false)Return
{
"book": {
"@category": "CHILDREN",
"author": "J K. Rowling",
"title": {
"@lang": "en",
"value": "Harry Potter"
},
"year": "2005"
}
}Random functions
String functions
contains
infallibleDetermines whether the
value string contains the specified substring.Function spec
contains(value:
<string>, substring:
<string>,
[case_sensitive:
<boolean>])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The text to search. | yes | |
| substring | string | The substring to search for in value. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | true | no |
downcase
infallibleDowncases the
value string, where “downcase” is defined according to the terms of the
Unicode Derived Core Property Lowercase.ends_with
infallibleDetermines whether the
value string ends with the specified substring.Function spec
ends_with(value:
<string>, substring:
<string>,
[case_sensitive:
<boolean>])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| substring | string | The substring with which value must end. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | true | no |
find
infallibleDetermines the start position of the first found element in
value,
from left to right, that matches the pattern or returns -1 if not found.Function spec
find(value:
<string>, pattern:
<regex |
string>,
[from:
<integer>])
:: <integer>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to find the pattern in. | yes | |
| pattern | regex string | The regular expression or string pattern to match against. | yes | |
| from | integer | Offset to start searching. | no |
join
infallibleJoins each string in the
value array into a single string, with items optionally separated from one another
by a separator.match
infallibleDetermines whether the
value matches the pattern.match_any
infallibleDetermines whether the
value matches any the given patterns. All
patterns are checked in a single pass over the target string, giving this
function a potentially significant performance advantage over multiple calls
to match.redact
infallibleRedact sensitive data in value such as:
- US social security card numbers
- and other forms of personally identifiable information via custom patterns
- (more to come!)
This can help achieve compliance by ensuring sensitive data never leaves your network.
Function spec
redact(value:
<string |
object |
array>,
[filters:
<array>])
:: <string | object | array>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string object array | The value to redact sensitive data from. Its behavior differs depending on the type of
For arrays and objects it will recurse into any nested arrays or objects. Any non-string elements will be skipped. Any redacted text will be replaced with | yes | |
| filters | array | List of filters to be applied to the Each filter can be specified in one of three ways:
Named filters are:
See examples for more details. This parameter must be a static expression. You cannot use variables or other dynamic expressions with it. This allows us to validate the argument at compile-time to avoid runtime errors. | no |
replace
infallibleReplaces all matching instances of pattern in the value.
The pattern argument accepts regular expression capture groups. Note that $foo is interpreted in a Vector configuration file, instead use $$foo.
Function spec
replace(value:
<string>, pattern:
<regex |
string>, with:
<string>,
[count:
<integer>])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The original string. | yes | |
| pattern | regex string | Replace all matches of this pattern. Can be a static string or a regular expression. | yes | |
| with | string | The string that the matches are replaced with. | yes | |
| count | integer | The maximum number of replacements to perform. -1 means replace all matches. | -1 | no |
slice
infallibleReturns a slice of the value between the start and end positions.
If the start and end parameters are negative, they refer to positions counting from the right of the
string or array. If end refers to a position that is greater than the length of the string or array
a slice up to the end of the string or array is returned.
Function spec
slice(value:
<array |
string>, start:
<integer>,
[end:
<integer>])
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | array string | The string or array to slice. | yes | |
| start | integer | The inclusive start position. A zero-based index that can be negative. | yes | |
| end | integer | The exclusive end position. A zero-based index that can be negative. | String length | no |
split
infallibleSplits the
value string via the pattern.Function spec
split(value:
<string>, pattern:
<string |
regex>,
[limit:
<integer>])
:: <array>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to split. | yes | |
| pattern | string regex | The string is split whenever this pattern is matched. | yes | |
| limit | integer | The maximum number of substrings to return. | no |
starts_with
infallibleDetermines whether the
value begins with the substring.Function spec
starts_with(value:
<string>, substring:
<string>,
[case_sensitive:
<boolean>])
:: <boolean>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to search. | yes | |
| substring | string | The substring that the value must start with. | yes | |
| case_sensitive | boolean | Whether the match should be case sensitive. | true | no |
strip_ansi_escape_codes
infallibleStrips ANSI escape codes from the
value.strip_whitespace
infallibleStrips whitespace from the start and end of the
value, where whitespace is defined by the Unicode
White_Space propertytruncate
infallibleTruncates the
value string up to the limit number of characters.Function spec
truncate(value:
<string>, limit:
<integer |
float>, ellipsis:
<boolean>)
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | string | The string to truncate. | yes | |
| limit | integer float | The number of characters to truncate the string after. | yes | |
| ellipsis | boolean | An ellipsis (...) is appended if this is set to true and the value string ends up being
truncated because it’s exceeded the limit. | yes |
upcase
infallibleUpcases the
value, where “upcase” is defined according to the terms of the Unicode Derived Core Property
Uppercase.System functions
get_env_var
fallibleReturns the value of the environment variable specified by
name.Function spec
get_env_var(name:
<string>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| name | string | The name of the environment variable. | yes |
Errors
Theget_env_var function is fallible, which means that
error handling is required for these errors:Environment variable
name doesn’t existValue of environment variable
name isn’t valid Unicodeget_hostname
fallibleReturns the local system’s hostname.
Function spec
get_hostname()
:: <string>
, <error>
required
optional
<types | ...>
Errors
Theget_hostname function is fallible, which means that
error handling is required for these errors:Internal hostname resolution failed.
Timestamp functions
format_timestamp
infallibleFormats the
value into a string representation of the timestamp.Function spec
format_timestamp(value:
<timestamp>, format:
<string>)
:: <string>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | timestamp | The timestamp to format as text. | yes | |
| format | string | The format string as described by the Chrono library. | yes |
now
infallibleReturns the current timestamp in the UTC timezone with nanosecond precision.
Type functions
array
fallibleReturns the
value if it’s an array and errors otherwise. This enables the type checker to guarantee that the
returned value is an array and can be used in any function that expects one.Function spec
array(value:
<any>)
:: <array>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value that you need to ensure is an array. | yes |
Errors
Thearray function is fallible, which means that
error handling is required for these errors:value isn’t an array.bool
fallibleReturns the
value if it’s a Boolean and errors otherwise. This enables the type checker to guarantee that the
returned value is a Boolean and can be used in any function that expects one.Function spec
bool(value:
<any>)
:: <boolean>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value that you need to ensure is a Boolean. | yes |
Errors
Thebool function is fallible, which means that
error handling is required for these errors:value isn’t a Boolean.float
fallibleReturns the
value if it’s a float and errors otherwise. This enables the type checker to guarantee that the
returned value is a float and can be used in any function that expects one.Function spec
float(value:
<any>)
:: <float>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value that you need to ensure is a float. | yes |
Errors
Thefloat function is fallible, which means that
error handling is required for these errors:value isn’t a float.int
fallibleReturns the
value if it’s an integer and errors otherwise. This enables the type checker to guarantee that the
returned value is an integer and can be used in any function that expects one.Function spec
int(value:
<any>)
:: <integer>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value that you need to ensure is an integer. | yes |
Errors
Theint function is fallible, which means that
error handling is required for these errors:value is not an integer.is_array
infallibleCheck if the type of a
value is an array or not.is_boolean
infallibleCheck if the type of a
value is a boolean or not.is_float
infallibleCheck if the type of a
value is a float or not.is_integer
infallibleCheck if the type of a
value is an integer or not.is_null
infallibleis_nullish
infallibleDetermines whether the
value is “nullish,” where nullish denotes the absence of a
meaningful value.is_object
infallibleCheck if the type of a
value is an object or not.is_regex
infallibleCheck if the type of a
value is a regex or not.is_string
infallibleCheck if the type of a
value is a string or not.is_timestamp
infallibleCheck if the type of a
value is a timestamp or not.object
fallibleReturns the
value if it’s an object and errors otherwise. This enables the type checker to guarantee that the
returned value is an object and can be used in any function that expects one.Function spec
object(value:
<any>)
:: <object>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value that you need to ensure is an object. | yes |
Errors
Theobject function is fallible, which means that
error handling is required for these errors:value isn’t an object.string
fallibleReturns the
value if it’s a string and errors otherwise. This enables the type checker to guarantee that the
returned value is a string and can be used in any function that expects one.Function spec
string(value:
<any>)
:: <string>
, <error>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value that you need to ensure is a string. | yes |
Errors
Thestring function is fallible, which means that
error handling is required for these errors:value isn’t a string.tag_types_externally
infallibleAdds type information to all (nested) scalar values in the provided value.
The type information is added externally, meaning that value has the shape of "type": value after this
transformation.
Function spec
tag_types_externally(value:
<any>)
:: <object | array | null>
required
optional
<types | ...>
| Argument | Type | Description | Default | Required? |
|---|---|---|---|---|
| value | any | The value to tag with types. | yes |
Examples
Tag types externally (object)
Source
tag_types_externally({
"message": "Hello world",
"request": {
"duration_ms": 67.9
}
})Return
{
"message": {
"string": "Hello world"
},
"request": {
"duration_ms": {
"float": 67.9
}
}
}timestamp
fallibleReturns the
value if it’s a timestamp and errors otherwise. This enables the type checker to guarantee that
the returned value is a timestamp and can be used in any function that expects one.