The following lists describe built-in Graylog functions by category. The lists are in alphabetical order.
Boolean
Boolean data is primarily associated with conditional statements, which allow different actions by changing control flow depending on whether a condition evaluates to true or false. Boolean functions determine Boolean values or operators.
| Function | Description |
|---|---|
| grok_exists | Checks if the given Grok pattern exists. |
| is_boolean | Checks whether a value is a boolean value (true or false). |
| is_collection | Checks whether a value is an iterable collection. |
| is_date | Checks whether a value is a date (of type DateTime). |
| is_double | Checks whether a value is a floating point value (of type double). |
| is_ip | Checks whether a value is an IP address (IPv4 or IPv6). |
| is_json | Checks whether a value is a parsed JSON tree. |
| is_list | Checks whether a value is an iterable list. |
| is_long | Checks whether a value is an integer value (of type long). |
| is_map | Checks whether a value is a map. |
| is_not_null | Checks whether a value is not null. |
| is_null | Checks whether a value is null. |
| is_number | Checks whether a value is a numeric value (of type long or double). |
| is_period | Checks whether a value is a time period (of type Period). |
| is_string | Checks whether a value is a string. |
| is_url | Checks whether a value is a parsed URL. |
| key_value | Extracts key/value pairs from a string. |
| lookup_string_list_contains | Looks up a value in the string list referenced by the key in the named lookup table. |
Boolean/Message Function
| Function | Description |
|---|---|
| cidr_match | Checks whether the given IP matches a CIDR pattern. |
| has_field | Checks whether the currently processed message contains the named field. |
Conversion
These are used to convert a value from one format to another.
| Function | Description |
|---|---|
| expand_syslog_priority | Converts a syslog priority number to its level and facility. |
| expand_syslog_priority_as_string | Converts a syslog priority number to its level and facility string representations. |
| syslog_facility | Converts a syslog facility number to its string representation. |
| syslog_level | Converts a syslog level number to its string representation. |
| to_bool | Converts the single parameter to a boolean value using its string value. |
| to_date | Converts a type to a date. |
| to_double | Converts the first parameter to a double floating point value. |
| to_ip | Converts the given string to an IP object. |
| to_long | Converts the first parameter to a long integer value. |
| to_map | Converts a value to a map. |
| to_string | Converts the first parameter to its string representation. |
| to_url | Converts a value to a valid URL using its string representation. |
Date/Time
A DateTime function performs an action or calculation on a date and time value.
| Function | Description |
|---|---|
| days | Create a period with a specified number of days. |
| flex_parse_date | Attempts to parse a date and time using the Natty date parser. |
| format_date | Formats a date and time according to a given formatter pattern. |
| millis | Can return either the Unix epoch value or the duration in milliseconds. |
| minutes | Creates a period with a specified number of minutes. |
| months | Creates a period with a specified number of months. |
| seconds | Creates a period with a specified number of seconds. |
| now | Returns the current date and time. |
| parse_date | Parses a date and time from the given string, according to a strict pattern. |
| parse_unix_milliseconds | Attempts to parse a UNIX millisecond timestamp (milliseconds since 1970-01-01T00:00:00.000Z). |
| period | Parses an ISO 8601 period from the specified string. |
| weeks | Creates a period with a specified number of weeks. |
| years | Creates a period with a specified number of years. |
| hours | Create a period with a specified number of hours. |
Debug
These functions are used to determine the state of your program at any point of execution.
| Function | Description |
|---|---|
| metric_counter_inc | The counter metric name, will always be prefixed with 'org.graylog.rulemetrics.' |
| debug | Print the passed value as a string in the Graylog log. |
Encoding
Encoding functions enable you to decode and convert strings.
| Function | Description |
|---|---|
| murmur3_128 | Returns the hex encoded MurmurHash3 (128-bit) digest of the given string. |
| murmur3_32 | Returns the hex encoded MurmurHash3 (32-bit) digest of the given string. |
| sha1 | Returns the hex encoded SHA1 digest of the given string. |
| sha256 | Returns the hex encoded SHA256 digest of the given string. |
| sha512 | Returns the hex encoded SHA512 digest of the given string. |
List
These functions create a collection that can be manipulated for your analysis.
| Function | Description |
|---|---|
| first_non_null | Returns first non null element found in value. |
Lookups
Lookup functions enable you to search a database for a value, then return other information from the same record.
| Function | Description |
|---|---|
| lookup | Looks up a multi value in the named lookup table. |
| lookup_add_string_list | Lookup table manipulation. |
| lookup_clear_key | Lookup table manipulation. |
|
Lookup table manipulation. |
|
| lookup_remove_string_list | Lookup table manipulation. |
| lookup_set_value | Lookup table manipulation. |
| lookup_string_list | Lookup table manipulation. |
| lookup_set_string_list | Lookup table manipulation. |
| lookup_value | Looks up a single value in the named lookup table. |
Map
Map functions apply a given function to each element of a collection.
| Function | Description |
|---|---|
| select_jsonpath | Selects one or more named JSON Path expressions from a JSON tree. |
Message Handling
These functions define what is to be done in response to a message.
| Function | Description |
|---|---|
| clone_message | Clones a message. |
| create_message | Creates a new message which will be evaluated by the entire processing pipeline. |
| drop_message | This currently processed message will be removed from the processing pipeline after the rule finishes. |
| from_input | Checks whether the current message was received by the given input. |
| remove_field | Removes the named field from the currently processed message. |
| remove_from_stream | Removes the current message from the specified stream. |
| rename_field | Renames a message field. |
| route_to_stream | Assigns the current message to the specified stream. |
| set_field | Sets the name field to the given value in the currently processed message. |
| set_fields | Sets multiple fields to the given values in the currently processed message. |
| traffic_accounting_size | Calculates the current size of the message as used by the traffic accounting system. |
Pattern Matching
Specify patterns to which some data should conform and deconstructs the data according to those patterns.
| Function | Description |
|---|---|
| grok | Applies a Grok pattern to a string. |
| regex | Matches a regular expression against a string, with matcher groups. |
| regex_replace | Matches a regular expression against a string and replace with string. |
String Functions
These functions are used to manipulate a string or query information about a string.
| Function | Description |
|---|---|
| abbreviate | Abbreviates a String using ellipses. |
| base16_decode | base16 decoding of the string. |
| base16_encode | base16 encoding of the string. |
| base32_decode | base32 decoding of the string. |
| base32_encode | base32 encoding of the string. |
| base32human_decode | base32 (human-friendly) decoding of the string. |
| base32human_encode | base32 (human-friendly) encoding of the string. |
| base64_decode | base64 decoding of the string. |
| base64_encode | base64 encoding of the string. |
| base64url_decode | base64 (URL-safe) decoding of the string. |
| base64url_encode | base64 (URL-safe) encoding of the string. |
| capitalize | Capitalizes a String changing the first letter to title case. |
| concat | Concatenates two strings. |
| contains | Checks if a string contains another string. |
| ends_with | Checks if a string ends with a given suffix. |
| flatten_json | Parses a string as a JSON tree while flattening all containers to a single level. |
| join | Joins the elements of the provided array into a single String. |
| lowercase | Converts a String to lower case. |
| length | Counts the characters or bytes in a string. |
| md5 | Returns the hex encoded MD5 digest of the given string. |
| split | Splits a string around matches of this pattern (Java syntax). |
| starts_with | Checks if a string starts with a given prefix. |
|
Computes Shannon's entropy of the character distribution in the given string. |
|
| substring | Returns a substring of value with the given start and end offsets. |
| swapcase | Swaps the case of a String. |
| parse_json | Parses a string into a JSON tree. |
| replace | Replaces the first “max” or all occurrences of a string within another string. |
| uncapitalize | Uncapitalizes a String changing the first letter to lower case. |
| uppercase | Converts a String to upper case. |
| urldecode | Decodes a application/x-www-form-urlencoded string using a specific encoding scheme. |
| urlencode | Translates a string into application/x-www-form-urlencoded format using a specific encoding scheme. |
String Function/Encoding
| Function | Description |
|---|---|
| crc32 | Returns the hex encoded CRC32 digest of the given string. |
| crc32c | Returns the hex encoded CRC32C (RFC 3720, Section 12.1) digest of the given string. |
