vrl

package
v1.65.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 22, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Args

type Args map[string]interface{}

Args for rendering VRL rules.

type Rule

type Rule string

Rule is a representation of a VRL rule.

const BackslashMultilineRule Rule = `
matched, err = match(.message, r'[^\\]$');
if err != null {
    false;
} else {
    matched;
}
`

BackslashMultilineRule counts all lines ended with the backslash symbol as the parts of a single line.

Example: --- first line \ one more line \ the end

const CEFNameAndSeverity Rule = `` /* 643-byte string literal not displayed */

CEFNameAndSeverity sets default values for cef encoding. If also maps falco priority values to severity to make it possible to use for cef.

const CleanUpAfterSourceRule Rule = `` /* 403-byte string literal not displayed */

CleanUpAfterSourceRule is a general cleanup rule to sanitize the final message. It should always be the first rule in the transforms chain to avoid unexpected data leaks to transform rules.

const DateTimeRule Rule = `
if exists(."timestamp") {
  ."datetime" = ."timestamp"
}
`

DateTimeRule copies time to the datetime field. Only relevant if the Splunk destination is used.

const DeDotRule Rule = `` /* 130-byte string literal not displayed */

DeDotRule replaces all dots in kubernetes labels to avoid ELasticsearch treating them as nested objects.

Related issue https://github.com/timberio/vector/issues/3588 P.S. pod_labels is always an object type if it is present, so we can panic on error here.

const FilterDoesNotExistRule Rule = `
!exists(.{{ $.filter.Field }})
`

FilterDoesNotExistRule returns true if there is no label in the log message.

const FilterExistsRule Rule = `
exists(.{{ $.filter.Field }})
`

FilterExistsRule checks whether a label exists in the log message.

const FilterInRule Rule = `` /* 370-byte string literal not displayed */

FilterInRule checks that the provided label value is in the following list.

const FilterNotInRule Rule = `` /* 371-byte string literal not displayed */

FilterNotInRule checks that the provided label value is out of the following list.

const FilterNotRegexRule Rule = `` /* 345-byte string literal not displayed */

FilterNotRegexRule ensures that the label exists and does not match any of provided regexes.

const FilterRegexRule Rule = `` /* 139-byte string literal not displayed */

FilterRegexRule checks that a particular label matches any of provided regexes.

const GELFCodecRelabeling Rule = `` /* 548-byte string literal not displayed */

GELFCodecRelabeling applies a set of rules to prevent encoding failures,

  1. If host field is missing, set it to node.
  2. Delete timestamp_end (not used by Graylog).
  3. Change timestamp field type to timestamp.
  4. Flatten the record because GELF does not support nested json objects.
  5. Replace dots in keys with underscores.
  6. Convert all values to strings except bool and int.
const GeneralMultilineRule Rule = `` /* 255-byte string literal not displayed */

GeneralMultilineRule appends all lines started with a space/tab to the previous line.

Example: --- start of the line:

following line
one more line
const JSONMultilineRule Rule = `
matched, err = match(.message, r'^\{');
if err != null {
    false;
} else {
    matched;
}
`

JSONMultilineRule parses multiline JSON formatted documents.

Example: ---

{
  "Start": "first_line",
  "Next": "following line"
}
const LocalTimezoneRule Rule = `` /* 326-byte string literal not displayed */

LocalTimezoneRule formats all timestamps with a local timezone. Example: 2019-10-12T07:20:50.52Z -> 2019-10-12T09:20:50.52+02:00 for the Europe/Berlin timezone

const LogWithTimeMultilineRule Rule = `` /* 763-byte string literal not displayed */

LogWithTimeMultilineRule counts any date/timestamp as a start of the line. All following lines will be appended.

Example: --- 2022-10-10 11:10 start of the line following line one more line 2022-10-10 11:11 a new line

const NotRegexMultilineRule Rule = `
matched, err = match(.message, r'{{ $.multiline }}');
if err != null {
    true;
} else {
    !matched;
}
`
const OwnerReferenceRule Rule = `` /* 704-byte string literal not displayed */

OwnerReferenceRule converts replicaset and job owner reference to deployment and cronjob if necessary.

Pods, created by the deployment controller, always have a pod hash annotation and owned by a replica set with this hash (this is due to avoid replicset names collisions).

Pods, created by the cronjob controller, always owned by a job with a name ended with numbers. These numbers are a hash of a time stamp when the job should be executed (to avoid executing job twice at the same time).

const ParseJSONRule Rule = `` /* 179-byte string literal not displayed */

ParseJSONRule provides the message data as an object for future modifications/validations. Parsed data will be equal to message to simplify further transformations, e.g., log filtration's.

It is usually used in a combination with other rules.

const ParsedDataCleanUpRule Rule = `
if exists(.parsed_data) {
    del(.parsed_data)
}
`

ParsedDataCleanUpRule cleans up the temporary parsed data object.

const RegexMultilineRule Rule = `
matched, err = match(.message, r'{{ $.multiline }}');
if err != null {
    false;
} else {
    matched;
}
`
const StreamRule Rule = `
."@timestamp" = del(.timestamp)
`

StreamRule puts the vector timestamp to the label recognized by Elasticsearch.

const SyslogEncodingRule Rule = `` /* 819-byte string literal not displayed */

func Combine

func Combine(r1, r2 Rule) Rule

func (Rule) Render

func (r Rule) Render(args Args) (string, error)

Render returns formatted VRL rule with provided args.

func (Rule) String

func (r Rule) String() string

String returns string representation of the rule.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL