Core functions
The following functions are exported by core.
- integer
dayofweek(datetime datetime)
-
Return the number of days since Sunday in the range of 0-6.
- integer
dayofweek(datetime datetime, boolean utc)
-
Return the number of days since Sunday in the range of 0-6. Optionally in UTC time if utc is set to TRUE, localtime if FALSE. If not set, honors the GenerateDateInUTC directive.
- integer
dayofyear(datetime datetime)
-
Return the day number of the year in the range of 1-366.
- integer
dayofyear(datetime datetime, boolean utc)
-
Return the day number of the year in the range of 1-366. Optionally in UTC time if utc is set to TRUE, localtime if FALSE. If not set, honors the GenerateDateInUTC directive.
- boolean
dropped()
-
Return TRUE if the currently processed event has already been dropped.
- boolean
failed_over()
-
Returns TRUE if the current module is not connected to the first configured
Host
.
- datetime
fix_year(datetime datetime)
-
Return a corrected datetime value for a datetime which was parsed with a missing year, such as BSD Syslog or Cisco timestamps. The current year is used unless it would result in a timestamp that is more than 30 days in the future, in which case the previous year is used instead. If using the current year results in a timestamp that is less than or equal to 30 days in the future, it is assumed that the source device’s clock is incorrect (and the returned datetime value will be up to 30 days in the future).
- string
get_instance_id()
-
Return the NXLog agent unique identifier (UID).
- integer
get_rand()
-
Return a random integer value.
- unknown
get_registryvalue(string mainkey, string subkeys, string valuename, boolean 64bit_view)
-
Return a value from the Windows Registry. mainkey must be one of the following predefined registry keys:
HKCC
,HKU
,HKCU
,HKCR
, orHKLM
. subkeys must be a series of backslash-separated valid Registry keys to open from mainkey. valuename must be a valid name of a value in last key of the subkeys. If 64bit_view is FALSE, then it indicates that 64-bit Windows should operate on the 32-bit Registry view; otherwise 64-bit Windows should operate on the 64-bit Registry view. Returns the value belonging to valuename. Returns undef if valuename or any of the subkeys can not be accessed in the Registry.
- string
get_uuid()
-
Return a UUID string.
- ipaddr
host_ip()
-
Return the first non-loopback IP address the hostname resolves to.
- string
hostname()
-
Return the hostname (short form).
- string
hostname_fqdn()
-
Return the FQDN hostname. This function will return the short form if the FQDN hostname cannot be determined.
- string
md5sum(unknown arg)
-
Return the MD5 hash of arg as a hexadecimal string. arg can be either string or binary.
- unknown
md5sum(unknown arg, boolean isbinary)
-
Return the MD5 hash of arg as a binary value or a hexadecimal string. When isbinary is TRUE, the return type will be binary. arg can be either string or binary.
- integer
microsecond(datetime datetime)
-
Return the microsecond part of the time value.
- integer
microsecond(datetime datetime, boolean utc)
-
Return the microsecond part of the time value. Optionally in UTC time if utc is set to TRUE, localtime if FALSE. If not set, honors the GenerateDateInUTC directive.
- datetime
now()
-
Return the current time.
- string
nxlog_version()
-
Return the NXLog version string.
- datetime
parsedate(string arg)
-
Parse a string containing a timestamp. Dates without timezone information are treated as local time. The current year is used for formats that do not include the year. An undefined datetime type is returned if the argument cannot be parsed, so that the user can fix the error (for example,
$EventTime = parsedate($somestring); if not defined($EventTime) $EventTime = now();
). Supported timestamp formats are listed below.- RFC 3164 (legacy Syslog) and variations
-
Nov 6 08:49:37 Nov 6 08:49:37 Nov 06 08:49:37 Nov 3 14:50:30.403 Nov 3 14:50:30.403 Nov 03 14:50:30.403 Nov 3 2005 14:50:30 Nov 3 2005 14:50:30 Nov 03 2005 14:50:30 Nov 3 2005 14:50:30.403 Nov 3 2005 14:50:30.403 Nov 03 2005 14:50:30.403 Nov 3 14:50:30 2005 Nov 3 14:50:30 2005 Nov 03 14:50:30 2005
- RFC 1123
-
RFC 1123 compliant dates are also supported, including a couple others which are similar such as those defined in RFC 822, RFC 850, and RFC 1036.
Sun, 06 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123 Sunday, 06-Nov-94 08:49:37 GMT ; RFC 850, obsoleted by RFC 1036 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format Sun, 6 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123 Sun, 06 Nov 94 08:49:37 GMT ; RFC 822 Sun, 6 Nov 94 08:49:37 GMT ; RFC 822 Sun, 6 Nov 94 08:49:37 GMT ; RFC 822 Sun, 06 Nov 94 08:49 GMT ; Unknown Sun, 6 Nov 94 08:49 GMT ; Unknown Sun, 06 Nov 94 8:49:37 GMT ; Unknown [Elm 70.85] Sun, 6 Nov 94 8:49:37 GMT ; Unknown [Elm 70.85] Mon, 7 Jan 2002 07:21:22 GMT ; Unknown [Postfix] Sun, 06-Nov-1994 08:49:37 GMT ; RFC 850 with four digit years
The above formats are also recognized when the leading day of week and/or the timezone are omitted.
- Apache/NCSA date
-
This format can be found in Apache access logs and other sources.
24/Aug/2009:16:08:57 +0200
- ISO 8601 and RFC 3339
-
NXLog can parse the ISO format with or without sub-second resolution, and with or without timezone information. It accepts either a comma (
,
) or a dot (.
) in case there is sub-second resolution.1977-09-06 01:02:03 1977-09-06 01:02:03.004 1977-09-06T01:02:03.004Z 1977-09-06T01:02:03.004+02:00 2011-5-29 0:3:21 2011-5-29 0:3:21+02:00 2011-5-29 0:3:21.004 2011-5-29 0:3:21.004+02:00
- Windows timestamps
-
20100426151354.537875 20100426151354.537875-000 20100426151354.537875000 3/13/2017 8:42:07 AM ; Microsoft DNS Server
- Integer timestamp
-
This format is
XXXXXXXXXX.USEC
. The value is expressed as an integer showing the number of seconds elapsed since the epoch UTC. The fractional microsecond part is optional.1258531221.650359 1258531221
- BIND9 timestamps
-
23-Mar-2017 06:38:30.143 23-Mar-2017 06:38:30 2017-Mar-23 06:38:30.143 2017-Mar-23 06:38:30
- datetime
parsedate(string arg, boolean utc)
-
Dates without timezone information are treated as UTC when utc is TRUE. If utc is FALSE, input strings are parsed in local time—the same behavior as
parsedate(arg)
.
- string
sha1sum(unknown arg)
-
Return the SHA1 hash of arg as a hexadecimal string. arg can be either string or binary.
- unknown
sha1sum(unknown arg, boolean isbinary)
-
Return the SHA1 hash of arg as a binary value or a hexadecimal string. When isbinary is TRUE, the return type will be binary. arg can be either string or binary.
- string
sha512sum(unknown arg)
-
Return the SHA512 hash of arg as a hexadecimal string. arg can be either string or binary.
- unknown
sha512sum(unknown arg, boolean isbinary)
-
Return the SHA512 hash of arg as a binary value or a hexadecimal string. When isbinary is TRUE, the return type will be binary. arg can be either string or binary.
- string
strftime(datetime datetime, string fmt)
-
Convert a datetime value to a string with the given format. The format must be one of:
-
YYYY-MM-DD hh:mm:ss
, -
YYYY-MM-DDThh:mm:ssTZ
, -
YYYY-MM-DDThh:mm:ss.sTZ
, -
YYYY-MM-DD hh:mm:ssTZ
, -
YYYY-MM-DD hh:mm:ss.sTZ
, -
YYYY-MM-DDThh:mm:ssUTC
, -
YYYY-MM-DDThh:mm:ss.sUTC
, -
YYYY-MM-DD hh:mm:ssUTC
, -
YYYY-MM-DD hh:mm:ss.sUTC
, or -
a format string accepted by the C strftime() function (see the strftime(3) manual or the Windows strftime reference for the format specification).
-