These docs are for Cribl Stream 4.8 and are no longer actively maintained.

See the latest version (4.15).

Unroll

The Unroll Function accepts an array field – or an expression to evaluate an array field – and breaks/unrolls the array into individual events.

Usage

​

Filter: Filter expression (JS) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.

Description: Simple description of this Function. Defaults to empty.

Final: If toggled to Yes, stops feeding data to the downstream Functions. Defaults to No.

Source field expression: Field in which to find/calculate the array to unroll. E.g.: _raw, _raw.split(/\n/). Defaults to _raw.

Destination field: Field (within the destination event) in which to place the unrolled value. Defaults to _raw.

Example

​

Assume we want to break/unroll each line of this event:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.5 38000 5356 ? Ss 2018 2:02 /lib/systemd/systemd --system --deserialize 28 root 2 0.0 0.0 0 0 ? S 2018 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S 2018 1:51 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< 2018 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S 2018 3:55 [rcu_sched] root 8 0.0 0.0 0 0 ? S 2018 0:00 [rcu_bh]

Settings

​

Source field expression: _raw.split(/\n/)

The split() JavaScript method breaks _raw into an ordered set of substrings/values, puts these values into an array, and returns the array.

Destination field: _raw

Event 1: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND  Event 2: root 1 0.0 0.5 38000 5356 ? Ss 2018 2:02 /lib/systemd/systemd --system --deserialize 28  Event 3: root 2 0.0 0.0 0 0 ? S 2018 0:00 [kthreadd]  Event 4: root 3 0.0 0.0 0 0 ? S 2018 1:51 [ksoftirqd/0]  Event 5: root 5 0.0 0.0 0 0 ? S< 2018 0:00 [kworker/0:0H]  Event 6: root 7 0.0 0.0 0 0 ? S 2018 3:55 [rcu_sched]  Event 7: root 8 0.0 0.0 0 0 ? S 2018 0:00 [rcu_bh]