Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Rule ¶
type Rule string
Rule is a representation of a VRL rule.
const BackslashMultilineRule Rule = `
matched, err = match(.message, r'[^\\]$');
if err != null {
false;
} else {
matched;
}
`
BackslashMultilineRule counts all lines ended with the backslash symbol as the parts of a single line.
Example: --- first line \ one more line \ the end
const CEFNameAndSeverity Rule = `` /* 643-byte string literal not displayed */
CEFNameAndSeverity sets default values for cef encoding. If also maps falco priority values to severity to make it possible to use for cef.
const CleanUpAfterSourceRule Rule = `` /* 403-byte string literal not displayed */
CleanUpAfterSourceRule is a general cleanup rule to sanitize the final message. It should always be the first rule in the transforms chain to avoid unexpected data leaks to transform rules.
const DateTimeRule Rule = `
if exists(."timestamp") {
."datetime" = ."timestamp"
}
`
DateTimeRule copies time to the datetime field. Only relevant if the Splunk destination is used.
const DeDotRule Rule = `` /* 130-byte string literal not displayed */
DeDotRule replaces all dots in kubernetes labels to avoid ELasticsearch treating them as nested objects.
Related issue https://github.com/timberio/vector/issues/3588 P.S. pod_labels is always an object type if it is present, so we can panic on error here.
const FilterDoesNotExistRule Rule = `
!exists(.{{ $.filter.Field }})
`
FilterDoesNotExistRule returns true if there is no label in the log message.
const FilterExistsRule Rule = `
exists(.{{ $.filter.Field }})
`
FilterExistsRule checks whether a label exists in the log message.
const FilterInRule Rule = `` /* 370-byte string literal not displayed */
FilterInRule checks that the provided label value is in the following list.
const FilterNotInRule Rule = `` /* 371-byte string literal not displayed */
FilterNotInRule checks that the provided label value is out of the following list.
const FilterNotRegexRule Rule = `` /* 345-byte string literal not displayed */
FilterNotRegexRule ensures that the label exists and does not match any of provided regexes.
const FilterRegexRule Rule = `` /* 139-byte string literal not displayed */
FilterRegexRule checks that a particular label matches any of provided regexes.
const GELFCodecRelabeling Rule = `` /* 548-byte string literal not displayed */
GELFCodecRelabeling applies a set of rules to prevent encoding failures,
- If host field is missing, set it to node.
- Delete timestamp_end (not used by Graylog).
- Change timestamp field type to timestamp.
- Flatten the record because GELF does not support nested json objects.
- Replace dots in keys with underscores.
- Convert all values to strings except bool and int.
const GeneralMultilineRule Rule = `` /* 255-byte string literal not displayed */
GeneralMultilineRule appends all lines started with a space/tab to the previous line.
Example: --- start of the line:
following line one more line
const JSONMultilineRule Rule = `
matched, err = match(.message, r'^\{');
if err != null {
false;
} else {
matched;
}
`
JSONMultilineRule parses multiline JSON formatted documents.
Example: ---
{ "Start": "first_line", "Next": "following line" }
const LocalTimezoneRule Rule = `` /* 326-byte string literal not displayed */
LocalTimezoneRule formats all timestamps with a local timezone. Example: 2019-10-12T07:20:50.52Z -> 2019-10-12T09:20:50.52+02:00 for the Europe/Berlin timezone
const LogWithTimeMultilineRule Rule = `` /* 763-byte string literal not displayed */
LogWithTimeMultilineRule counts any date/timestamp as a start of the line. All following lines will be appended.
Example: --- 2022-10-10 11:10 start of the line following line one more line 2022-10-10 11:11 a new line
const NotRegexMultilineRule Rule = `
matched, err = match(.message, r'{{ $.multiline }}');
if err != null {
true;
} else {
!matched;
}
`
const OwnerReferenceRule Rule = `` /* 704-byte string literal not displayed */
OwnerReferenceRule converts replicaset and job owner reference to deployment and cronjob if necessary.
Pods, created by the deployment controller, always have a pod hash annotation and owned by a replica set with this hash (this is due to avoid replicset names collisions).
Pods, created by the cronjob controller, always owned by a job with a name ended with numbers. These numbers are a hash of a time stamp when the job should be executed (to avoid executing job twice at the same time).
const ParseJSONRule Rule = `` /* 179-byte string literal not displayed */
ParseJSONRule provides the message data as an object for future modifications/validations. Parsed data will be equal to message to simplify further transformations, e.g., log filtration's.
It is usually used in a combination with other rules.
const ParsedDataCleanUpRule Rule = `
if exists(.parsed_data) {
del(.parsed_data)
}
`
ParsedDataCleanUpRule cleans up the temporary parsed data object.
const RegexMultilineRule Rule = `
matched, err = match(.message, r'{{ $.multiline }}');
if err != null {
false;
} else {
matched;
}
`
const StreamRule Rule = `
."@timestamp" = del(.timestamp)
`
StreamRule puts the vector timestamp to the label recognized by Elasticsearch.
const SyslogEncodingRule Rule = `` /* 819-byte string literal not displayed */