Comment on page

Logical Operations

User-entered logical operations are a key component of Salem's learning architecture and are referred to in the Salem nomenclature as "eval strings." These operations are created by users to inform Salem actions related to context-building workloads, alert categorization, and other logic-based evaluations.
​eval strings​
Definition: Eval strings are logical operations used by Salem to add and apply context to alerts based on their details. Salem can be taught to evaluate complex Boolean expressions using the and and or operators and the match() function. These expressions can be used to filter alerts, extract relevant information, and generate new context.
​Basic Eval Actions​
== - Equal to operator.
!= - Not equal to operator.
> - Greater than operator.
< - Less than operator.
​Advanced Eval Actions​
​bool(exp)​
Evaluates to true or False
​len(obj)​
Returns the length of the object provided
​round(num,pos)​
Returns a num rounded to pos digits
​coalesce(*args)​
Returns the first non null value
​if_then(bool,true,false)​
If the bool statement evaluates to true, the value of the true case is returned, otherwise the value of the false case is returned
​join(list,str)​
Returns a string comprised of the list values concatenated by the value of str
​match(type,match_exp,match_field)​
Returns True or False based on the evaluation of the match expression. 
Match types:
in <list>:  Returns true if the test is contained in the object.
is <str>:  Returns true if the test is equal to the object.
beginsWith <str> :  Returns true if the object starts with the test.
endsWith <str>:  Returns true if the object ends with the test.
contains <str>:  Returns true if the object contains the test.
regex <str>:  Returns true if the object matches the test regular expression.
bool <str>:  Returns true if the test evaluates to true.
CIDR <str>:  Returns true if the object’s IP address is within the CIDR range specified by the test.
eval <func>:  Returns true if the test evaluates to True when evaluated in the context of the object.
match('endsWith','.com',src)
​now(seconds)​
Returns a date object that is the current UTC time offset by the value of seconds
​rex(exp,str)​
returns a match value based on the regex exp evaluated over str
​split(str,exp)​
returns a list of str components split by the value of exp
split('10.0.0.1','.')
# returns: [10,0,0,1]
​strftime(time,format)​
Accepts a datetime object and a time format string. Returns a str representing time in the format provided
​strptime(str,format)​
Accepts a time str and format, and returns a datetime object
​to_dict(json_str)​
Accepts a JSON formatted string and returns an object
​to_json(obj)​
Accepts and object and returns a JSON formatted string
​to_str(obj)​
Accepts an object and returns a str formatted version of that object
​url_decode(url_string)​
Accepts a url quoted string and returns a unquoted version
​url_encode(str)​
Accepts a string and returns a url quoted version of that string
​
​Eval Use Cases​
​match actions​
​webhook actions​
alert filters
​alert parsing​

General Guides - Previous

Uploading Files

Next - Configurations Specification

Configuration Home

Last modified 2mo ago

Logical Operations

​eval strings​

​Basic Eval Actions​

​Advanced Eval Actions​

​bool(exp)​

​len(obj)​

​round(num,pos)​

​coalesce(*args)​

​if_then(bool,true,false)​

​join(list,str)​

​match(type,match_exp,match_field)​

​now(seconds)​

​rex(exp,str)​

​split(str,exp)​

​strftime(time,format)​

​strptime(str,format)​

​to_dict(json_str)​

​to_json(obj)​

​to_str(obj)​

​url_decode(url_string)​

​url_encode(str)​

​Eval Use Cases​

eval strings

Basic Eval Actions

Advanced Eval Actions

bool(exp)

len(obj)

round(num,pos)

coalesce(*args)

if_then(bool,true,false)

join(list,str)

match(type,match_exp,match_field)

now(seconds)

rex(exp,str)

split(str,exp)

strftime(time,format)

strptime(str,format)

to_dict(json_str)

to_json(obj)

to_str(obj)

url_decode(url_string)

url_encode(str)

Eval Use Cases