layout | title | parent | nav_order |
---|---|---|---|
default |
Expression syntax |
Pipelines |
12 |
The following sections provide information about expression syntax in Data Prepper.
Operators are listed in order of precedence (top to bottom, left to right).
Operator | Description | Associativity |
---|---|---|
() |
Priority Expression | left-to-right |
not + - |
Unary Logical NOT Unary Positive Unary negative |
right-to-left |
< , <= , > , >= |
Relational Operators | left-to-right |
== , != |
Equality Operators | left-to-right |
and , or |
Conditional Expression | left-to-right |
Reserved symbol set: ^
, *
, /
, %
, +
, -
, xor
, =
, +=
, -=
, *=
, /=
, %=
, ++
, --
, ${<text>}
The set initializer defines a set or term and/or expressions.
The following are examples of set initializer syntax.
{200, 201, 202}
{"Created", "Accepted"}
{/request_payload, /request_message}
A priority expression identifies an expression that will be evaluated at the highest priority level. A priority expression must contain an expression or value; empty parentheses are not supported.
/is_cool == (/name == "Steven")
Relational operators are used to test the relationship of two numeric values. The operands must be numbers or JSON Pointers that resolve to numbers.
<Number | JSON Pointer> < <Number | JSON Pointer>
<Number | JSON Pointer> <= <Number | JSON Pointer>
<Number | JSON Pointer> > <Number | JSON Pointer>
<Number | JSON Pointer> >= <Number | JSON Pointer>
/status_code >= 200 and /status_code < 300
Equality operators are used to test whether two values are equivalent.
<Any> == <Any>
<Any> != <Any>
/is_cool == true
3.14 != /status_code
{1, 2} == /event/set_property
Equality operators can also be used to check whether a JSON Pointer exists by comparing the value with null
.
<JSON Pointer> == null
<JSON Pointer> != null
null == <JSON Pointer>
null != <JSON Pointer>
/response == null
null != /response
A conditional expression is used to chain together multiple expressions and/or values.
<Any> and <Any>
<Any> or <Any>
not <Any>
/status_code == 200 and /message == "Hello world"
/status_code == 200 or /status_code == 202
not /status_code in {200, 202}
/response == null
/response != null
This section provides expression definitions.
A literal is a fundamental value that has no children:
- Float: Supports values from 3.40282347 × 1038 to 1.40239846 × 10−45.
- Integer: Supports values from −2,147,483,648 to 2,147,483,647.
- Boolean: Supports true or false.
- JSON Pointer: See the JSON Pointer section for details.
- String: Supports valid Java strings.
- Null: Supports null check to see whether a JSON Pointer exists.
An expression string takes the highest priority in a Data Prepper expression and only supports one expression string resulting in a return value. An expression string is not the same as an expression.
A statement is the highest-priority component of an expression string.
An expression is a generic component that contains a Primary or an Operator. Expressions may contain expressions. An expression's imminent children can contain 0–1 Operators.
- Set
- Priority Expression
- Literal
An operator is a hardcoded token that identifies the operation used in an expression.
A JSON Pointer is a literal used to reference a value within an event and provided as context for an expression string. JSON Pointers are identified by a leading /
containing alphanumeric characters or underscores, delimited by /
. JSON Pointers can use an extended character set if wrapped in double quotes ("
) using the escape character \
. Note that JSON Pointers require ~
and /
characters, which should be used as part of the path and not as a delimiter that needs to be escaped.
The following are examples of JSON Pointers:
~0
representing~
~1
representing/
/\w+(/\w+)*
The following is an example of shorthand:
/Hello/World/0
The following is an example of escaped syntax:
"/<Valid String Characters | Escaped Character>(/<Valid String Characters | Escaped Character>)*"
The following is an example of an escaped JSON Pointer:
# Path
# { "Hello - 'world/" : [{ "\"JsonPointer\"": true }] }
"/Hello - 'world\//0/\"JsonPointer\""
White space is optional surrounding relational operators, regex equality operators, equality operators, and commas. White space is required surrounding set initializers, priority expressions, set operators, and conditional expressions.
Operator | Description | White space required | ✅ Valid examples | ❌ Invalid examples |
---|---|---|---|---|
{} |
Set initializer | Yes | /status in {200} |
/status in{200} |
() |
Priority expression | Yes | /a==(/b==200) /a in ({200}) |
/status in({200}) |
in , not in |
Set operators | Yes | /a in {200} /a not in {400} |
/a in{200, 202} /a not in{400} |
< , <= , > , >= |
Relational operators | No | /status < 300 /status>=300 |
|
=~ , !~ |
Regex equality pperators | No | /msg =~ "^\w*$" /msg=~"^\w*$" |
|
== , != |
Equality operators | No | /status == 200 /status_code==200 |
|
and , or , not |
Conditional operators | Yes | /a<300 and /b>200 |
/b<300and/b>200 |
, |
Set value delimiter | No | /a in {200, 202} /a in {200,202} /a in {200 , 202} |
/a in {200,} |
Data Prepper supports the following built-in functions that can be used in an expression.
The length()
function takes one argument of the JSON pointer type and returns the length of the value passed. For example, length(/message)
returns a length of 10
when a key message exists in the event and has a value of 1234567890
.
The hastags()
function takes one or more string type arguments and returns true
if all the arguments passed are present in an event's tags. When an argument does not exist in the event's tags, the function returns false
. For example, if you use the expression hasTags("tag1")
and the event contains tag1
, Data Prepper returns true
. If you use the expression hasTags("tag2")
but the event only contains a tag1
tag, Data Prepper returns false
.
The getMetadata()
function takes one literal string argument to look up specific keys in a an event's metadata. If the key contains a /
, then the function looks up the metadata recursively. When passed, the expression returns the value corresponding to the key. The value returned can be of any type. For example, if the metadata contains {"key1": "value2", "key2": 10}
, then the function, getMetadata("key1")
, returns value2
. The function, getMetadata("key2")
, returns 10.
The contains()
function takes two string arguments and determines whether either a literal string or a JSON pointer is contained within an event. When the second argument contains a substring of the first argument, such as contains("abcde", "abcd")
, the function returns true
. If the second argument does not contain any substrings, such as contains("abcde", "xyz")
, it returns false
.
The cidrContains()
function takes two or more arguments. The first argument is a JSON pointer, which represents the key to the IP address that is checked. It supports both IPv4 and IPv6 addresses. Every argument that comes after the key is a string type that represents CIDR blocks that are checked against.
If the IP address in the first argument is in the range of any of the given CIDR blocks, the function returns true
. If the IP address is not in the range of the CIDR blocks, the function returns false
. For example, cidrContains(/sourceIp,"192.0.2.0/24","10.0.1.0/16")
will return true
if the sourceIp
field indicated in the JSON pointer has a value of 192.0.2.5
.