Language
Types
The following types are provided by the NXLog language.
- Unknown
-
This is a special type for values where the type cannot be determined at compile time and for uninitialized values. The undef literal and fields without a value also have an unknown type. The unknown type can also be thought of as "any" in case of function and procedure API declarations.
- Boolean
-
A boolean value is TRUE, FALSE or undefined. Note that an undefined value is not the same as a FALSE value.
- Integer
-
An integer can hold a signed 64 bit value in addition to the undefined value. Floating point values are not supported.
- String
-
A string is an array of characters in any character set. The binary type should be used for values where the NULL byte can also occur. An undefined string is not the same as an empty string. Strings have a limited length to prevent resource exhaustion problems, this is a compile-time value currently set to 1M.
- Datetime
-
A datetime holds a microsecond, millisecond, and second value of time elapsed since the Epoch, and NXLog can handle the corresponding value. It is always stored in UTC/GMT.
- IP Address
-
The ipaddr type can store IP addresses in an internal format. This type is used to store both dotted-quad IPv4 addresses (for example,
192.168.1.1
) and IPv6 addresses (for example,2001:0db8:85a3:0000:0000:8a2e:0370:7334
).
- Binary
-
This type can hold an array of bytes.
- Array
-
This type is a container and it can hold an arbitrary number values of any kind of types supported by the NXLog language. The inividual members are accessed by a non-negative integer type of index value.
- Hash
-
This type is a container and it can hold an arbitrary number of key-value pairs. The key is a string while the value is one of the value types supported by the NXLog language. The inividual values can be accessed by the key strings.
- Variadic arguments
-
This is a special type only used in function and procedure API declarations to indicate variadic arguments.
- JSON string
-
A specific format of json-string.
JSON string is not yet a separate data type and is just a simple string. It was described separately to specify the string format.
- JSON map
-
A specific format for json-string. Presents as an object description for specific json-array.
Expressions
Literals
- Undef
-
The undef literal has an unknown type. It can be also used in an assignment to unset the value of a field.
Example 1. Un-Setting the Value of a FieldThis statement unsets the
$ProcessID
field.$ProcessID = undef;
- Boolean
-
A boolean literal is either TRUE or FALSE. It is case-insensitive, so
True
,False
,true
, andfalse
are also valid.
- Integer
-
An integer starts with a minus (
-
) sign if it is negative. A "0X" or "0x" prepended modifier indicates a hexadecimal notation. The "K", "M" and "G" modifiers are also supported; these mean Kilo (1024), Mega (1024^2), or Giga (1024^3) respectively when appended.Example 2. Setting an Integer ValueThis statement uses a modifier to set the
$Limit
field to 44040192 (42×1024^2).$Limit = 42M;
- String
-
String literals are quoted characters using either single or double quotes.
Enclosing in single quotes means that the string contains no escape sequences. For example, the
'\n'
character combination will be interpreted as\n
. Similarly, the asterisk'*'
character inside single quotes will be processed by NXLog as the asterisk.String literals specified within double quotes can contain escape sequences. For instance, the
"\n"
character combination will be interpreted as a newline (LF) character as opposed to'\n'
in single quotes, which is treated by NXLog as\n
.Below is the full list of escape sequences supported by NXLog.
- \\
-
The backslash (
\
) character. - \"
-
The double quote (
"
) character. - \n
-
Line feed (LF).
- \r
-
Carriage return (CR).
- \t
-
Horizontal tab.
- \b
-
Audible bell.
- \xXX
-
A single byte in the form of a two digit hexadecimal number. For example the line-feed character can also be expressed as
\x0A
.
The asterisk (
"*"
) character in double quotes is interpreted as a wildcard character. In such case, the"file*.log"
literal can be used to specify bothfile1.log
andfilea.log
. For more details, see the Configuration section of the im_file module documentation.Extra care should be taken when specifying file paths within double quotes since the backslash is used as the directory separator on Windows. For more information about the possible complications, see this note of the im_file module. The examples below explain how to use single and double quotes with strings.
Example 3. Setting a string without escapingThe statement below assigns the
Test message
string to the$Message
field.$Message = 'Test message';
Using single quotes means that character escaping is not allowed.
OutputTest message
Example 4. Escaping double quotes within a stringUsing the
\"
character combination, the statement below wraps themessage
substring with double quotes.$QuotedMessage = "Test \"message\"";
Below is the value which was assigned to the
$QuotedMessage
field.Field valueTest "message"
Wildcard characters are useful for reading data from multiple files based on their naming pattern.
Example 5. Escaping wildcard charactersThe NXLog configuration below uses the
*
asterisk character to read data from files with names starting with thelog
string and having the.txt
extension.nxlog.conf<Input from_file> Module im_file File "/tmp/log*.txt" </Input>
Based on the naming pattern, both
log1.txt
andlog_new.txt
will be read.
- Datetime
-
A datetime literal is an unquoted representation of a time value expressing local time in the format of
YYYY-MM-DD hh:mm:ss
.Example 6. Setting a Datetime ValueThis statement sets the
$EventTime
field to the specified datetime value.$EventTime = 2000-01-02 03:04:05;
- IP Address
-
An IP address literal can be expressed in the form of a dotted quad notation for IPv4 (
192.168.1.1
) or by using 8 colon-separated (:
) groups of 16-bit hexadecimal values for IPv6 (2001:0db8:85a3:0000:0000:8a2e:0370:7334
). When specifying an address and port separated by colon (host:port
), IPv6 addresses must be enclosed in square brackets ([host]:port
). - Array
-
An array literal is a comma-separated list of expressions, enclosed in square brackets, where the list is optional. E.g.
[1, 2, hostname(), now()]
or[ ]
for empty array. - Hash
-
A hash literal is a comma-separated list of key-value pairs, enclosed in parentheses. A key-value pair consists a
key-expression
and avalue-expression
separated by=>
. E.g.( 'key1' => 123, 'key2' => now() )
or( )
for empty hash. Thekey-expression
can evaluate to any type but the actual key will always beto_string(key-expression)
.
Regular Expressions
The PCRE engine is used to execute regular expressions in NXLog. For more information about the PCRE syntax, see the pcre2syntax(3) and pcre2pattern(3) man pages.
Regular expressions must be used with one of the
=~ and !~
operators, and must be quoted with slashes (/
) as in Perl. Captured
sub-strings are accessible through numeric reference, and the full
subject string is placed into $0
.
If the regular expression matches the $Message
field, the
log_info() procedure is executed. The captured
sub-string is used in the logged string ($1
).
if $Message =~ /^Test (\S+)/ log_info("captured: " + $1);
It is also possible to use named capturing such that the resulting field name is defined in the regular expression.
This statement causes the same behavior as the previous example, but it uses named capturing instead.
if $Message =~ /^Test: (?<test>\S+)/ log_info("captured: " + $test);
Substitution is supported with the s///
operator.
Fields or captured sub-string references cannot be used inside the regular expression but these can be used inside the substitution operator using the usual $fieldname
, ${relaxed field name}
, $0..n
and $captured_name
notations, e.g., if $subject =~ s/(\w+)/($1→${replace})/g log_info($subject);
.
Only the \\
, \/
, and \$
escape sequences are supported for the replacement string of the substitution operator.
Other sequences, like \n
, will be replaced literally.
Regular Expression Modifiers
The following regular expression modifiers are supported:
- g
-
The
/g
modifier can be used for global replacement.Example 9. Replace Whitespace OccurrencesIf any whitespace is found in the
$SourceName
field, it is replaced with underscores (_
) and a log message is generated.if $SourceName =~ s/\s/_/g log_info("removed all whitespace in SourceName");
- s
-
The dot (
.
) normally matches any character except newline. The/s
modifier causes the dot to match all characters including line terminator characters (LF and CRLF).Example 10. Dot Matches All CharactersThe regular expression in this statement will match a message that begins and ends with the given keywords, even if the message spans multiple lines.
if $Message =~ /^Backtrace.*END$/s drop();
- m
-
The
/m
modifier can be used to treat the string as multiple lines (^
and$
match newlines within data). - i
-
The
/i
modifier does case insensitive matching.
Fields
See Fields for a list of fields provided by the NXLog core. Additional fields are available through input modules.
Fields are referenced in the NXLog language by prepending a
dollar sign ($
) to the field name.
Field names are case-insensitive. For example, the $SourceModuleName
and $sourcemodulename
field names are equivalent.
Normally, a field name may contain letters, digits, the period (.
), and the
underscore (_
). Additionally, field names must begin with a letter or
an underscore. The corresponding regular expression is:
[a-zA-Z_][a-zA-Z0-9._]*
However, those restrictions are relaxed if the field name is specified with
curly braces ({}
). In this case, the field name may also contain hyphens
(-
), parentheses (()
), and spaces. The field name may also begin with any
one of the allowed characters. The regular expression in this case is:
[a-zA-Z0-9._() -]+
This statement generates an internal log message indicating the time when the message was received by NXLog.
log_debug('Message received at ' + $EventReceivedTime);
This statement uses curly braces ({}
) to refer to a field with a hyphenated
name.
log_info('The file size is ' + ${file-size});
A field which does not exist has an unknown type.
Arrays
An array of values can be created and initialized with the following syntax:
[ expression, expression, ...., expression ]
Where an expression
is a valid NXLog expression which evaluates to a value including the container
type of values and the undef value.
The array then can be assigned to a field:
$field = [1, 'aaa', TRUE, 2022-12-22 10:25:01, 2001:db8:85a3::8a2e:370:7334, hostname() ];
Or to a module variable:
$$modvar = [TRUE, 2022-12-22 10:25:01, [], undef, [1, 2, 3] ];
The individual array elements can be accessed by the
array operator []
and an index expression:
$field[idx_expression]; $$modvar[idx_expression];
Where an idx_expression
is a valid NXLog expression which evaluates to an integer value. If
idx_expression
evaluates to a string type then
NXLog automatically tries to convert it to
an integer value. The first (the smallest) index
value of an array is 0
.
An array element can be at the left part of an assignment. This way one can assign new values to the individual elements of the array.
$array[idx_expression] = expression; # OR $$array[idx_expression] = expression;
One can insert new elements into an array by referring to a not existing element. E.g.:
$$array = [1, 2, 3]; $$array[5] = "test str";
which yields this array:
[1, 2, 3, undef, undef, 'test str']
There are empty arrays which can be created too.
# empty array: $array = [ ];
Hashes
Hashes (aka associative arrays) can be created and initialized with the following syntax:
( key_expression => value_expression, key_expression => value_expression, .... , key_expression => value_expression )
Where a key_expression
is a valid NXLog expression
which evaluates to a value which is then converted to a string.
The value_expression
is a valid NXLog expression
which evaluates to any type of value, including the container
type of values and the undef value.
The hash then can be assigned to a field:
$field = ('key1' => 1 + 1, 'key2' => 'aa' + 'bb', 'key3' => 2022-12-22 10:25:01, 'key4' => hostname() );
or to a module variable:
$$modvar = ('key1' => 1 + 1, 'key2' => 'aa' + 'bb', 'key3' => 2022-12-22 10:25:01, 'key4' => hostname() );
The individual hash values can be accessed by the
hash operator ()
and a key expression:
$field(key_expression); $$modvar(key_expression);
A hash value can be at the left part of an assignment. This way one can assign new values to the individual values of the hash container.
$hash(key_expression) = expression; # OR $$hash(key_expression) = expression;
One can insert new values into a hash container with the following syntax:
$$hash = (); # empty container $$hash=('key1') = "value1"; $$hash=('key2') = "value2";
which yields this hash container:
['key1' => 'value1', 'key2' => 'value2']
There are empty hash containers which can be created too.
# empty hash: $hash = ( );
Operations
Unary Operations
The following unary operations are available. It is possible to use brackets around the operand to make it look like a function call as in the "defined" example below.
- not
-
The not operator expects a boolean value. It will evaluate to undef if the value is undefined. If it receives an unknown value which evaluates to a non-boolean, it will result in a run-time execution error.
Example 12. Using the "not" OperandIf the
$Success
field has a value of false, an error is logged.if not $Success log_error("Job failed");
- defined
-
The defined operator will evaluate to TRUE if the operand is defined, otherwise FALSE.
Example 13. Using the Unary "defined" OperationThis statement is a no-op, it does nothing.
if defined undef log_info("never printed");
If the
$EventTime
field has not been set (due perhaps to failed parsing), it will be set to the current time.if not defined($EventTime) $EventTime = now();
Binary Operations
The following binary operations are available.
The operations are described with the following syntax:
LEFT_OPERAND_TYPE OPERATION RIGHT_OPERAND_TYPE = EVALUATED_VALUE_TYPE
- =~
-
This is the regular expression match operation as in Perl. This operation takes a string and a regular expression operand and evaluates to a boolean value which will be TRUE if the regular expression matches the subject string. Captured sub-strings are accessible through numeric reference (such as
$1
) and the full subject string is placed into$0
. Regular expression based string substitution is supported with thes///
operator. For more details, see Regular Expressions.Example 14. Regular Expression Based String MatchingA log message will be generated if the
$Message
field matches the regular expression.if $Message =~ /^Test message/ log_info("matched");
- !~
-
This is the opposite of =~
The expression will evaluate to TRUE if the regular expression does not match on the subject string. It can be also written as
not LEFT_OPERAND =~ RIGHT_OPERAND
. Thes///
substitution operator is supported.Example 15. Regular Expression Based Negative String MatchingA log message will be generated if the
$Message
field does not match the regular expression.if $Message !~ /^Test message/ log_info("didn't match");
- ==
-
This operator compares two values for equality. Comparing a defined value with an undefined results in undef.
Example 16. EqualityA log message will be generated if
$SeverityValue
is 1.if $SeverityValue == 1 log_info("severity is one");
- !=
-
This operator compares two values for inequality. Comparing a defined value with an undefined results in undef.
Example 17. InequalityA log message will be generated if
$SeverityValue
is not 1.if $SeverityValue != 1 log_info("severity is not one");
- <
-
This operation will evaluate to TRUE if the left operand is less than the right operand, and FALSE otherwise. Comparing a defined value with an undefined results in undef.
Example 18. LessA log message will be generated if
$SeverityValue
is less than 1.if $SeverityValue < 1 log_info("severity is less than one");
- <=
-
This operation will evaluate to TRUE if the left operand is less than or equal to the right operand, and FALSE otherwise. Comparing a defined value with an undefined results in undef.
Example 19. Less or EqualA log message will be generated if
$SeverityValue
is less than or equal to 1.if $SeverityValue < 1 log_info("severity is less than or equal to one");
- >
-
This operation will evaluate to TRUE if the left operand is greater than the right operand, and FALSE otherwise. Comparing a defined value with an undefined results in undef.
Example 20. GreaterA log message will be generated if
$SeverityValue
is greater than 1.if $SeverityValue > 1 log_info("severity is greater than one");
- >=
-
This operation will evaluate to TRUE if the left operand is greater than or equal to the right operand, and FALSE otherwise. Comparing a defined value with an undefined results in undef.
Example 21. Greater or EqualA log message will be generated if
$SeverityValue
is greater than or equal to 1.if $SeverityValue >= 1 log_info("severity is greater than or equal to one");
- and
-
This operation evaluates to TRUE if and only if both operands are TRUE. The operation will evaluate to undef if either operand is undefined.
Example 22. And OperationA log message will be generated only if both
$SeverityValue
equals 1 and$FacilityValue
equals 2.if $SeverityValue == 1 and $FacilityValue == 2 log_info("1 and 2");
- or
-
This operation evaluates to TRUE if either operand is TRUE. The operation will evaluate to undef if both operands are undefined.
Example 23. Or OperationA log message will be generated if
$SeverityValue
is equal to either 1 or 2.if $SeverityValue == 1 or $SeverityValue == 2 log_info("1 or 2");
- +
-
This operation will result in an integer if both operands are integers. If either operand is a string, the result will be a string where non-string typed values are converted to strings. In this case it acts as a concatenation operator, like the dot (
.
) operator in Perl. Adding an undefined value to a non-string will result in undef.Example 24. ConcatenationThis statement will always cause a log message to be generated.
if 1 + "a" == "1a" log_info("this will be printed");
- -
-
Subtraction. The result will be undef if either operand is undefined.
Example 25. SubtractionThis statement will always cause a log message to be generated.
if 4 - 1 == 3 log_info("four minus one is three");
- *
-
Multiply an integer with another. The result will be undef if either operand is undefined.
Example 26. MultiplicationThis statement will always cause a log message to be generated.
if 4 * 2 == 8 log_info("four times two is eight");
- /
-
Divide an integer with another. The result will be undef if either operand is undefined. Since the result is an integer, a fractional part is lost.
Example 27. DivisionThis statement will always cause a log message to be generated.
if 9 / 4 == 2 log_info("9 divided by 4 is 2");
- %
-
The modulo operation divides an integer with another and returns the remainder. The result will be undef if either operand is undefined.
Example 28. ModuloThis statement will always cause a log message to be generated.
if 3 % 2 == 1 log_info("three mod two is one");
- IN
-
This operation will evaluate to TRUE if the left operand is equal to any of the expressions in the list on the right, and FALSE otherwise. Comparing a undefined value results in undef.
Example 29. INA log message will be generated if
$EventID
is equal to any one of the values in the list.if $EventID IN (1000, 1001, 1004, 4001) log_info("EventID found");
Ternary Operation
The ternary operator expr1 ? expr2 : expr3
evaluates to expr2 if
expr1 is TRUE, otherwise to expr3. The parentheses as shown here are
optional.
The $Important
field is set to TRUE if $SeverityValue
is greater
than 2
, or FALSE otherwise.
$Important = ( $SeverityValue > 2 ? TRUE : FALSE );
Functions
A function is an expression which returns a value. The returned value can be used to set fields, output log data, or make logic decisions. Functions can be polymorphic, meaning that the same function can take different argument types.
Many NXLog language features are provided through functions. As with other types of expressions, and unlike procedures, functions do not modify the state of the NXLog engine, the state of the module, or the current event.
See the list of available core functions. Modules can provide additional functions for use with the NXLog language.
These expressions call the now() function to return
the current time and the hostname() function to
return the hostname of the system where NXLog is installed. The returned
values are used to set the $EventTime
and $Relay
fields.
$EventTime = now();
$Relay = hostname();
In the example below, the size() function is called to
calculate the size of the $Message
field. If the field is over 4096 bytes,
an internal log is generated.
if size($Message) > 4096 log_info('Large message received.');
Functions for a specific module instance can be called using the ->
operator. This expression calls the file_name() and
file_size() functions of an om_file instance named
out
. The returned values are used to log the name and size of its current
output file.
log_info('Size of output file ' + out->file_name() + ' is ' + out->file_size());
Calling functions of a specific instance is especially useful when the
configuration contains more than one instance of the same module. These
expressions call the to_xml() function of two xm_xml
instances, one named xml_a
and the other named xml_b
.
xml_a->to_xml();
xml_b->to_xml();
Statements
The following elements can be used in statements.
Assignment
The assignment operation is declared with an equal sign (=
). It
loads the value from the expression evaluated on the right into a
field on the left.
This statement sets the $EventReceivedTime
field to the value
returned by the now() function.
$EventReceivedTime = now();
Block
A block consists of one or more statements within curly braces ({}
).
This is typically used with conditional
statements as in the example below.
If the expression matches, both log messages will be generated.
if now() > 2000-01-01 00:00:00
{
log_info("we are in the");
log_info("21st century");
}
Procedures
A procedure is a statement that performs a set of actions. Procedures can accept arguments. Unlike a function, a procedure modifies its arguments, the state of the NXLog engine, the state of a module, or the current event. Procedures can be polymorphic, meaning that the same procedure can take different argument types.
Many NXLog language features are provided through procedures. See the list of available core procedures. Modules can provide additional procedures for use with the NXLog language.
This example uses the parse_syslog() procedure, provided by the xm_syslog module, to parse syslog records received via UDP.
<Input in>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
Procedures for a specific module instance can be called using the ->
operator. This statement calls the rotate_to()
procedure of an om_file instance named out
to rotate the current output
file.
out->rotate_to("output_logs");
Calling procedures of a specific instance is especially useful when the
configuration contains more than one instance of the same module. These
statements call the parse_xml() procedure of two
xm_xml instances, one named xml_a
and the other named xml_b
.
xml_a->parse_xml();
xml_b->parse_xml();
If-Else
A conditional statement starts with the if
keyword followed by a
boolean expression and a statement. The else
keyword, followed by
another statement, is optional. Brackets around the expression are
also optional.
A log message will be generated if the expression matches.
if now() > 2000-01-01 00:00:00 log_info("we are in the 21st century");
This statement is the same as the previous, but uses brackets.
if ( now() > 2000-01-01 00:00:00 ) log_info("we are in the 21st century");
This is a conditional statement block.
if now() > 2000-01-01 00:00:00
{
log_info("we are in the 21st century");
}
This conditional statement block includes an else branch.
if now() > 2000-01-01 00:00:00
{
log_info("we are in the 21st century");
}
else log_info("we are not yet in the 21st century");
Like Perl, the NXLog language does not have a switch statement. Instead, this can be accomplished by using conditional if-else statements.
The generated log message various based on the value of the $value
field.
if ( $value == 1 )
log_info("1");
else if ( $value == 2 )
log_info("2");
else if ( $value == 3 )
log_info("3");
else
log_info("default");
The Perl elsif and unless keywords are not supported. |
While
A basic looping construct in NXLog language. The syntax is:
while ( cond_expression ) { statement; statement; ... statement; }
Where cond_expression
is any valid NXLog
expression which evaluates to a boolean value.
The statements
will be executed repeatedly as long
as the cond_expression
evaluates to TRUE.
It is important to note that currently nothing prevents infinite loops therefore it is the responsibility of the user to not create such loops. |
An example:
$$i = 0; while ( $$i < 5 ) { log_info("Repeated message"); $$i = $$i + 1; }
while
loops can be nested without limitations but
the best practice is to limit the nesting level in
order to avoid long running exec blocks.
Foreach
A looping construct in NXLog language designed to work on containers. The syntax is:
foreach (expression, module-variable) { statement; statement; ... statement; }
Where expression
is any valid NXLog
expression which evaluates to a container type of
value like array
or hash
. But if one wants to
change the values in that container
then the expression
must "address" a container or
a sub-container already assigned to a field or to
a module variable. Any temporary container, which can
be a container literal or a function’s return value,
will be disposed outside the loop.
The module-variable
is a $$
notation for a
module variable.
The statements
will be executed as many times
as many elements the container has (expression
) and
for each repetition the module-variable
will be updated
with the access key for a container element. In case of
arrays this module-variable
will hold the index values,
while in case of a hash containers this will hold the
keys for the stored values.
An example:
$$array = [1, 2, 3]; foreach ($$array, $$idx) { $$array[$$idx] = $$array[$$idx] * 10; } $$hash = ( '1' => 100, '2' => 500); foreach($$hash, $$key) { $$hash[$$key] = $$hash[$$key] - 5; }
foreach
loops can be nested without limitations but
the best practice is to limit the nesting level in
order to avoid long running exec blocks.
Break, Continue
Like programming or scripting languages NXLog loops
also have these statements and the effects are the same.
In loop body break;
causes immediate leaving of
the loop while continue;
causes skipping the
rest of the statements after the continue;
.
In case of nested loops, these statements affect the
loop in which the break
or the continue
resides.
E.g.:
$ar = [9,8,7,6,5,4,3,2,1]; foreach($ar, $$i) { if ( $ar[$$i] == 4 ) { continue; } if ( $ar[$$i] == 2 ) { break; } if ( $ar[$$i] % 2 == 0 ) $ar[$$i] = "xxx"; }
Variables
A module variable can only be accessed from the same module instance where it was created. A variable is referenced by a string value and can store a value of any type.
See the create_var(), delete_var(), set_var(), and get_var() procedures.
In NXLog language there is another,
simplified syntax for using module variables. Similar to
the $
notation for fields, it is possible to
access module variables with the $$
notation.
In that case, the variable name is not
dynamic but in return, the value can be
manipulated the same way as the NXLog fields.
$$ival_1 = 10; $$ival_2 = $$ival_1 + 200; $$str = string($$ival_2);
The $$
notation is directly supported by the
foreach(expr, $$key)
NXLog language construct.
Statistical Counters
The following types are available for statistical counters:
- COUNT
-
Added values are aggregated, and the value of the counter is increased if only positive integers are added until the counter is destroyed or indefinitely if the counter has no expiry.
- COUNTMIN
-
This calculates the minimum value of the counter.
- COUNTMAX
-
This calculates the maximum value of the counter.
- AVG
-
This algorithm calculates the average over the specified interval.
- AVGMIN
-
This algorithm calculates the average over the specified interval, and the value of the counter is always the lowest which was ever calculated during the lifetime of the counter.
- AVGMAX
-
Like AVGMIN, but this returns the highest value calculated during the lifetime of the counter.
- RATE
-
This calculates the value over the specified interval. It can be used to calculate events per second (EPS) values.
- RATEMIN
-
This calculates the value over the specified interval, and returns the lowest rate calculated during the lifetime of the counter.
- RATEMAX
-
Like RATEMIN, but this returns the highest rate calculated during the lifetime of the counter.
- GRAD
-
This calculates the change of the rate of the counter over the specified interval, which is the gradient.
- GRADMIN
-
This calculates the gradient and returns the lowest gradient calculated during the lifetime of the counter.
- GRADMAX
-
Like GRADMIN, but this returns the highest gradient calculated during the lifetime of the counter.
Fields
The following fields are used by core.
$raw_event
(type: string)-
The data received from stream modules (im_file, im_tcp, etc.).
$EventReceivedTime
(type: datetime)-
The time when the event is received. The value is not modified if the field already exists.
$Hostname
(type: string)-
The name of the host where the nxlog is running. The value is not modified if the field already exists.
$SourceModuleName
(type: string)-
The name of the module instance, for input modules. The value is not modified if the field already exists.
$SourceModuleType
(type: string)-
The type of module instance (such as
im_file
), for input modules. The value is not modified if the field already exists.
Functions
The following functions are exported by core.
- integer
dayofweek(datetime datetime)
-
Return the number of days since Sunday in the range of 0-6.
- integer
dayofweek(datetime datetime, boolean utc)
-
Return the number of days since Sunday in the range of 0-6. Optionally in UTC time if utc is set to TRUE, localtime if FALSE. If not set, honors the GenerateDateInUTC directive.
- integer
dayofyear(datetime datetime)
-
Return the day number of the year in the range of 1-366.
- integer
dayofyear(datetime datetime, boolean utc)
-
Return the day number of the year in the range of 1-366. Optionally in UTC time if utc is set to TRUE, localtime if FALSE. If not set, honors the GenerateDateInUTC directive.
- boolean
dropped()
-
Return TRUE if the currently processed event has already been dropped.
- boolean
failed_over()
-
Returns TRUE if the current module is not connected to the first configured
Host
.
- datetime
fix_year(datetime datetime)
-
Return a corrected datetime value for a datetime which was parsed with a missing year, such as BSD Syslog or Cisco timestamps. The current year is used unless it would result in a timestamp that is more than 30 days in the future, in which case the previous year is used instead. If using the current year results in a timestamp that is less than or equal to 30 days in the future, it is assumed that the source device’s clock is incorrect (and the returned datetime value will be up to 30 days in the future).
- string
get_instance_id()
-
Return the NXLog agent unique identifier (UID).
- integer
get_rand()
-
Return a random integer value.
- unknown
get_registryvalue(string mainkey, string subkeys, string valuename, boolean 64bit_view)
-
Return a value from the Windows Registry. mainkey must be one of the following predefined registry keys:
HKCC
,HKU
,HKCU
,HKCR
, orHKLM
. subkeys must be a series of backslash-separated valid Registry keys to open from mainkey. valuename must be a valid name of a value in last key of the subkeys. If 64bit_view is FALSE, then it indicates that 64-bit Windows should operate on the 32-bit Registry view; otherwise 64-bit Windows should operate on the 64-bit Registry view. Returns the value belonging to valuename. Returns undef if valuename or any of the subkeys can not be accessed in the Registry.
- string
get_uuid()
-
Return a UUID string.
- ipaddr
host_ip()
-
Return the first non-loopback IP address the hostname resolves to.
- string
hostname()
-
Return the hostname (short form).
- string
hostname_fqdn()
-
Return the FQDN hostname. This function will return the short form if the FQDN hostname cannot be determined.
- string
md5sum(unknown arg)
-
Return the MD5 hash of arg as a hexadecimal string. arg can be either string or binary.
- unknown
md5sum(unknown arg, boolean isbinary)
-
Return the MD5 hash of arg as a binary value or a hexadecimal string. When isbinary is TRUE, the return type will be binary. arg can be either string or binary.
- integer
microsecond(datetime datetime)
-
Return the microsecond part of the time value.
- integer
microsecond(datetime datetime, boolean utc)
-
Return the microsecond part of the time value. Optionally in UTC time if utc is set to TRUE, localtime if FALSE. If not set, honors the GenerateDateInUTC directive.
- datetime
now()
-
Return the current time.
- string
nxlog_version()
-
Return the NXLog version string.
- datetime
parsedate(string arg)
-
Parse a string containing a timestamp. Dates without timezone information are treated as local time. The current year is used for formats that do not include the year. An undefined datetime type is returned if the argument cannot be parsed, so that the user can fix the error (for example,
$EventTime = parsedate($somestring); if not defined($EventTime) $EventTime = now();
). Supported timestamp formats are listed below.- RFC 3164 (legacy Syslog) and variations
-
Nov 6 08:49:37 Nov 6 08:49:37 Nov 06 08:49:37 Nov 3 14:50:30.403 Nov 3 14:50:30.403 Nov 03 14:50:30.403 Nov 3 2005 14:50:30 Nov 3 2005 14:50:30 Nov 03 2005 14:50:30 Nov 3 2005 14:50:30.403 Nov 3 2005 14:50:30.403 Nov 03 2005 14:50:30.403 Nov 3 14:50:30 2005 Nov 3 14:50:30 2005 Nov 03 14:50:30 2005
- RFC 1123
-
RFC 1123 compliant dates are also supported, including a couple others which are similar such as those defined in RFC 822, RFC 850, and RFC 1036.
Sun, 06 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123 Sunday, 06-Nov-94 08:49:37 GMT ; RFC 850, obsoleted by RFC 1036 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format Sun, 6 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123 Sun, 06 Nov 94 08:49:37 GMT ; RFC 822 Sun, 6 Nov 94 08:49:37 GMT ; RFC 822 Sun, 6 Nov 94 08:49:37 GMT ; RFC 822 Sun, 06 Nov 94 08:49 GMT ; Unknown Sun, 6 Nov 94 08:49 GMT ; Unknown Sun, 06 Nov 94 8:49:37 GMT ; Unknown [Elm 70.85] Sun, 6 Nov 94 8:49:37 GMT ; Unknown [Elm 70.85] Mon, 7 Jan 2002 07:21:22 GMT ; Unknown [Postfix] Sun, 06-Nov-1994 08:49:37 GMT ; RFC 850 with four digit years
The above formats are also recognized when the leading day of week and/or the timezone are omitted.
- Apache/NCSA date
-
This format can be found in Apache access logs and other sources.
24/Aug/2009:16:08:57 +0200
- ISO 8601 and RFC 3339
-
NXLog can parse the ISO format with or without sub-second resolution, and with or without timezone information. It accepts either a comma (
,
) or a dot (.
) in case there is sub-second resolution.1977-09-06 01:02:03 1977-09-06 01:02:03.004 1977-09-06T01:02:03.004Z 1977-09-06T01:02:03.004+02:00 2011-5-29 0:3:21 2011-5-29 0:3:21+02:00 2011-5-29 0:3:21.004 2011-5-29 0:3:21.004+02:00
- Windows timestamps
-
20100426151354.537875 20100426151354.537875-000 20100426151354.537875000 3/13/2017 8:42:07 AM ; Microsoft DNS Server
- Integer timestamp
-
This format is
XXXXXXXXXX.USEC
. The value is expressed as an integer showing the number of seconds elapsed since the epoch UTC. The fractional microsecond part is optional.1258531221.650359 1258531221
- BIND9 timestamps
-
23-Mar-2017 06:38:30.143 23-Mar-2017 06:38:30 2017-Mar-23 06:38:30.143 2017-Mar-23 06:38:30
- datetime
parsedate(string arg, boolean utc)
-
Dates without timezone information are treated as UTC when utc is TRUE. If utc is FALSE, input strings are parsed in local time—the same behavior as
parsedate(arg)
.
- string
sha1sum(unknown arg)
-
Return the SHA1 hash of arg as a hexadecimal string. arg can be either string or binary.
- unknown
sha1sum(unknown arg, boolean isbinary)
-
Return the SHA1 hash of arg as a binary value or a hexadecimal string. When isbinary is TRUE, the return type will be binary. arg can be either string or binary.
- string
sha512sum(unknown arg)
-
Return the SHA512 hash of arg as a hexadecimal string. arg can be either string or binary.
- unknown
sha512sum(unknown arg, boolean isbinary)
-
Return the SHA512 hash of arg as a binary value or a hexadecimal string. When isbinary is TRUE, the return type will be binary. arg can be either string or binary.
- string
strftime(datetime datetime, string fmt)
-
Convert a datetime value to a string with the given format. The format must be one of:
-
YYYY-MM-DD hh:mm:ss
, -
YYYY-MM-DDThh:mm:ssTZ
, -
YYYY-MM-DDThh:mm:ss.sTZ
, -
YYYY-MM-DD hh:mm:ssTZ
, -
YYYY-MM-DD hh:mm:ss.sTZ
, -
YYYY-MM-DDThh:mm:ssUTC
, -
YYYY-MM-DDThh:mm:ss.sUTC
, -
YYYY-MM-DD hh:mm:ssUTC
, -
YYYY-MM-DD hh:mm:ss.sUTC
, or -
a format string accepted by the C strftime() function (see the strftime(3) manual or the Windows strftime reference for the format specification).
-
Procedures
The following procedures are exported by core.
add_to_route(string routename);
-
Copy the currently processed event data to the route specified. This procedure makes a copy of the data. The original will be processed normally. Note that flow control is explicitly disabled when moving data with add_to_route() and the data will not be added if the queue of the target module(s) is full.
array_append(array dst_array, array src_array, integer src_index, integer src_num_elements);
-
This procedure copies elements from src_array to the end of dst_array. The src_index specifies the first src_array element index and src_num_elements specifies the number of elements to copy. The size of dst_array will increase by src_num_elements at most. dst_array and src_array must both be
array
types. The operation is not executed if src_index exceeds the src_array size or src_num_elements is 0.
array_trim(array array_value);
-
Removing the
undef
values from the end of the array_value container. The size of the array will decrease if such element(s) was(were) found at the end of the container. If array_value is not anarray
type then no operation(s) will be carried out.
create_stat(string statname, string type);
-
Create a module statistical counter with the specified name using the current time. The statistical counter will be created with an infinite lifetime. The type argument must be one of the following to select the required algorithm for calculating the value of the statistical counter:
COUNT
,COUNTMIN
,COUNTMAX
,AVG
,AVGMIN
,AVGMAX
,RATE
,RATEMIN
,RATEMAX
,GRAD
,GRADMIN
, orGRADMAX
(see Statistical Counters).The interval parameter is optional for
COUNT
type statistical counters. It is mandatory for all other types.This procedure will do nothing if a counter with the specified name already exists.
create_stat(string statname, string type, integer interval, datetime time, integer lifetime);
-
Create a module statistical counter with the specified name to be calculated over interval seconds and the time value specified in the time argument. The statistical counter will expire after lifetime seconds.
create_var(string varname);
-
Create a module variable with the specified name. The variable will be created with an infinite lifetime.
debug(unknown arg, varargs args);
-
Print the argument(s) at DEBUG log level. Same as log_debug().
delete(unknown arg);
-
Delete a field or a module variable from the event. For example,
delete($field)
ordelete(variable)`. Note that `$field = undef` or `variable = undef
is not the same, though after both operations the field or the module variable will be undefined. If the argument is an expression which is not purely a field ($field
) or a module variable ($$variable
) then the expression will be evaluated and that value will be treated as a name of the field to be deleted. If the expression yields a non-string type value then an error message will be issued. delete(string arg);
-
Delete the field from the event. For example,
delete("field")
.
delete_all();
-
Delete all of the fields from the event except
raw_event
field.
delete_stat(string statname);
-
Delete a module statistical counter with the specified name. This procedure will do nothing if a counter with the specified name does not exist (e.g. was already deleted).
delete_var(string varname);
-
Delete the module variable with the specified name if it exists.
drop();
-
Drop the event record that is currently being processed. Any further action on the event record will result in a "missing record" error.
duplicate_guard();
-
Guard against event duplication.
hash_remove(hash hash_value, varargs key);
-
Removing the keys(s) from the hash_value. The size of the hash_value will increase by the number of key arguments. To perform this operation, the key argument(s) must be of string type. If hash_value is not a
hash
type then no operation(s) will be carried out.
log_debug(unknown arg, varargs args);
-
Print the argument(s) at DEBUG log level. Same as debug(). Messages longer than specified at LogSizeLimit will be truncated.
log_error(unknown arg, varargs args);
-
Print the argument(s) at ERROR log level. Messages longer than specified at LogSizeLimit will be truncated.
log_info(unknown arg, varargs args);
-
Print the argument(s) at INFO log level. Messages longer than specified at LogSizeLimit will be truncated.
log_warning(unknown arg, varargs args);
-
Print the argument(s) at WARNING log level. Messages longer than specified at LogSizeLimit will be truncated.
module_restart();
-
Issue
module_stop
and then amodule_start
events for the calling module. Cross-module calls are supported:other_module→module_restart()
.
module_start();
-
Issue a
module_start
event for the calling module. Cross-module calls are supported:other_module→module_start()
.
module_stop();
-
Issue a
module_stop
event for the calling module. Cross-module calls are supported:other_module→module_stop()
.
reroute(string routename);
-
Move the currently processed event data to the route specified. The event data will enter the route as if it was received by an input module there. Note that flow control is explicitly disabled when moving data with reroute() and the data will be dropped if the queue of the target module(s) is full.
sleep(integer interval);
-
Sleep the specified number of microseconds. This procedure is provided for testing purposes primarily. It can be used as a poor man’s rate limiting tool, though this use is not recommended.