Skip to main content

Action: script

Set fields to computed values, perhaps conditionally

Available functions:

  • round(x) returns the nearest integer to a floating point number, like round(tmillis/1000). Useful for converting bytes to kB, milliseconds since epoch to seconds since epoch, etc.
  • sec_s() will return seconds since epoch, sec_ms() milliseconds since epoch.
  • cidr(addr, spec) will match an IPv4 network address against a CIDR specification like '10.0.0.0/24'.
  • ip2asn uses the Team Cymru services to match IP addresses to domain names.
  • cond(condition, value1, value2) is a useful function that will return value1 if condition is true, otherwise returns value2. E.g. status: cond(istat > 0,"ok","error").
  • hashes:
    • md5(txt)
    • sha1(txt)
    • sha256(txt)
    • sha512(txt)
  • uuid() returns a Unique Identifier each time

See the full discussion

Field Summary

Field NameTypeDescriptionDefault
conditionexpressionDoes operations only when the calculation is true-
overwriteboolOverwrite a field if it already existsfalse
letarray of (field,expression) pairsAdd calculated values to the event-
setarray of (field,value) pairsAdd constants to the event-
loadpathLoad a file containing Lua functions into the current context-
runstringRun the specified function on each action-

Fields

condition

Type: expression

Does operations only when the calculation is true

Example

Input:

{"num":1}

Pipe Language Snippet:

script:
condition: num == 1
let:
- is_one: "true"

Output:

{"num":1,"is_one":true}

Example: Non-matching condition

Input:

{"num":2}

Pipe Language Snippet:

script:
condition: num == 1
let:
- is_one: "true"

Output:

{"num":2}

overwrite

Type: bool

Default: false

Overwrite a field if it already exists

let

Type: array of (field,expression) pairs

Add calculated values to the event

Example

Input:

{"one":1,"two":2}

Pipe Language Snippet:

script:
let:
- one_plus_two: one + two

Output:

{"one":1,"two":2,"one_plus_two":3}

Example: Array access (note 1-based index)

Input:

{"one_two":[1,2]}

Pipe Language Snippet:

script:
let:
- one: one_two[1]
- two: one_two[2]

Output:

{"one_two":[1,2],"one":1,"two":2}

Example: Subfield access

Input:

{"data":{"one":1,"two":2}}

Pipe Language Snippet:

script:
let:
- one: data.one
- two: data.two

Output:

{"data":{"one":1,"two":2},"one":1,"two":2}

set

Type: array of (field,value) pairs

Add constants to the event

Example

Input:

{"one":1,"two":2}

Pipe Language Snippet:

script:
set:
- three: 3
- four: four

Output:

{"one":1,"two":2,"three":3,"four":"four"}

load

Type: path

Load a file containing Lua functions into the current context

run

Type: string

Run the specified function on each action