The function bitfield:extractFlags() decodes an
integer to its bit-representation and extracts the bits at specified
indices to specified field names as a boolean.
The bits are indexed from 0 and can
accept up to 64 bits (the length of a Long).
bitfield:extractFlags() Examples
One or multiple flags can be extracted from a bit field. In this example
the bit field is called flags and has the value
8 corresponding to the bit string
…00001000. The goal is to extract two
flags, ErrorFlag located at index
3 and WarningFlag
located at index 0.
createEvents("flags=8")
| kvParse()
| bitfield:extractFlags(
field=flags,
output=[
[3, ErrorFlag],
[0, WarningFlag]
])This results in the following output event:
| @rawstring | @timestamp | @timezone | flags | ErrorFlag | WarningFlag |
|---|---|---|---|---|---|
| flags=8 | ... | ... | 8 | true | false |
The extracted flags can then be used to filter events either using
test:
| test(ErrorFlag)Or using string matching:
| ErrorFlag=true or WarningFlag=true