Decodes an integer to its bit-representation and extracts the bits at specified indices to specified field names as a boolean.
The bits are indexed from 0 and can accept up to 64 bits (the length of a Long).
bitfield:extractFlags() Examples
One or multiple flags can be extracted from a bit field. In this example
the bit field is called flags and has the value
8 corresponding to the bit string
…00001000. The goal is to
extract two flags, ErrorFlag located at
index 3 and WarningFlag
located at index 0.
createEvents("flags=8")
| kvParse()
| bitfield:extractFlags(
field=flags,
output=[
[3, ErrorFlag],
[0, WarningFlag]
])This results in the following output event:
| @rawstring | @timestamp | @timezone | flags | ErrorFlag | WarningFlag |
|---|---|---|---|---|---|
| flags=8 | ... | ... | 8 | true | false |
The extracted flags can then be used to filter events either using
test:
| test(ErrorFlag)Or using string matching:
| ErrorFlag=true or WarningFlag=true