Functions Overview

This section documents the built-in functions available in Peakhour's Wirefilter expression language for creating advanced rules and conditions.

Available Functions

Functions allow you to perform operations on field values, transform data, and create more sophisticated rule logic. All functions are case-sensitive and must be used with the exact spelling shown.

String Functions

• any() - Check if any element in an array matches a condition
• concat() - Concatenate strings together
• ends_with() - Check if a string ends with a specific suffix
• len() - Get the length of a string or array
• lower() - Convert string to lowercase
• matches() - Pattern matching with wildcards
• starts_with() - Check if a string starts with a specific prefix
• to_string() - Convert values to string representation

Validation Functions

• is_mac_valid() - Validate MAC address format

Usage Examples

// String manipulation
lower(http.host) eq "example.com"
starts_with(http.request.uri.path, "/api/")
len(http.user_agent) gt 100

// Pattern matching
matches(http.user_agent, "*bot*")
ends_with(http.host, ".example.com")

// Data conversion
concat("prefix-", ip.src)
to_string(ip.geoip.asnum)

Function Categories

Text Processing

Functions for manipulating and analyzing string values.

Pattern Matching

Functions for wildcard and pattern-based matching.

Data Validation

Functions for validating specific data formats.

Type Conversion

Functions for converting between different data types.

Best Practices

• Use functions to normalize data before comparisons
• Combine functions for complex logic requirements
• Consider performance impact of complex function calls
• Test function behavior with rule simulator before deployment

For complete function documentation and examples, see the individual function reference pages listed above.