The ESA rule language provides transform functions that manipulate and validate values extracted from HTTP requests.
Supported transform functions
concat
Concatenates strings.
-
Format:
concat(String | Integer | Bytes | Array elements):String. -
Logic: Concatenates a comma-separated list of values into a single string.
-
Examples:
-
concat("String1"," ","String",2)returns"String1 String2". -
concat("/archive",http.request.uri.path)prepends the path segment"/archive"to the URI path. -
concat("userid=123&",http.request.uri.query)prepends the key-value pair"userid=123"to the URI query string. -
concat("https://www.example.com",http.request.uri.path)combines a new hostname with the original request path to generate a new URL.
-
ends_with
Checks whether a string ends with a specified substring.
-
Format:
ends_with(source String,substring String):Boolean. -
Logic:
-
Returns
trueifsource Stringends withsubstring String. Otherwise, it returnsfalse. -
source Stringmust be a field. It cannot be a literal string. For example, do not writeends_with("foo.html",".html").
-
-
Example: If
http.request.uri.pathis"/welcome.html", thenends_with(http.request.uri.path,".html")returnstrue.
lower
Converts a string to lowercase.
-
Format:
lower(String):String -
Logic: Converts a field string value to lowercase. Only uppercase ASCII bytes are converted; all other bytes remain unchanged.
-
Example: If
http.hostis"WWW.example.com", thenlower(http.host)=="www.example.com"returnstrue.
regex_replace
Replaces substrings that match a regular expression pattern.
-
Format:
regex_replace(source String,regular_expression String,replacement String):String. -
Logic:
-
Replaces the first substring matching the regular expression with the replacement string.
-
By default, matching is case-sensitive.
-
Only the first match is replaced, even if multiple matches exist in the source string.
-
You can escape a
$character in the replacement string by prefixing it with another$character. -
The replacement string can contain references to regular expression capturing groups using the format
${<NUMBER>}, where<NUMBER>is the number of the capturing group. Up to eight such references are supported, such as${1}and${2}.
-
-
Examples:
-
Static character match and replacement:
-
Successful string match:
regex_replace("/animal/cat","/cat$","/dog")=="/animal/dog". -
If no match is found, the source string remains unchanged:
-
Different strings:
regex_replace("/x","^/y$","/z")=="/x". -
Case-sensitive strings:
regex_replace("/cat","^/CAT$","/dog")=="/cat".
-
-
When multiple matches exist, only the first is replaced:
regex_replace("/a/a","/a","/b")=="/b/a". -
Escaping the
$character in the replacement string:regex_replace("/b","^/b$","/b$$")=="/b$". -
Using capturing groups in the replacement string:
regex_replace("/foo/a/path","^/foo/([^/]*)/(.*)$","/bar/${2}/${1}")=="/bar/path/a".
-
-
Dynamic field match and replacement:
-
The source string uses a dynamic field to retrieve the path information from the client request. This example replaces
/cat/in the path with/dog/:regex_replace(http.request.uri.path,"/cat/(.*)$","/dog/${1}"). -
Complex replacement example: Replaces each
+character in the original request path with the string%2B:regex_replace(http.request.uri.path, "^([^+]*)\\+([^+]*)\\+(.*)$", "${1}%2B${2}%2B${3}").
-
-
starts_with
Checks whether a string starts with a specified substring.
-
Format:
starts_with(source String,substring String):Boolean -
Logic:
-
Returns
trueifsource Stringstarts withsubstring String. Otherwise, it returnsfalse. -
source Stringmust be a field. It cannot be a literal string. For example, do not writestarts_with("foo.html",".html").
-
-
Example: If
http.request.uri.pathis"/welcome.html", thenstarts_with(http.request.uri.path,".html")returnstrue.
to_string
Converts a value to its string representation.
-
Format:
to_string(Integer | Boolean | IP address):String. -
Logic: Returns the string representation of an
Integer,Boolean, orIPaddress value. -
Examples:
-
If the result of
ip.src.asnumis15169, thento_string(ip.src.asnum)returns"15169". -
If the result of
sslistrue, thento_string(ssl)returns"true". -
If the result of
ip.srcis192.168.0.1, thento_string(ip.src)returns"192.168.0.1".
-
upper
Converts a string to uppercase.
-
Format:
upper(String):String. -
Logic: Converts a field string value to uppercase. Only lowercase ASCII bytes are converted; all other bytes remain unchanged.
-
Example: If
http.hostis"www.example.com", thenupper(http.host)returns"WWW.EXAMPLE.COM".
wildcard_replace
Replaces substrings that match a wildcard pattern.
-
Format:
wildcard_replace(source Bytes,wildcard_pattern Bytes,replacement Bytes,flags Bytes optional):String -
Logic:
-
Matches the source string against a pattern containing zero or more
*wildcards, replaces the matched portion with the replacement string, and returns the result. The replacement string can contain references to wildcard capturing groups, such as${1}and${2}. Up to eight replacement references are supported. -
If there is no match, the function returns the original source string.
-
The
sourceparameter must be a field, not a literal string. The entiresourcevalue must match thewildcard_patternparameter — partial matches are not supported. -
To enter a literal
*character in thewildcard_patternparameter, you must escape it with\*. You must also escape the\character with\\. Two unescaped*characters in a row, such as**, are invalid and cannot be used. To perform character escaping, use raw string syntax for thewildcard_patternparameter. -
To enter a literal
$character in thereplacementparameter, you must escape it with$$. -
To perform a case-sensitive wildcard match, set the
flagsparameter tos. -
This function uses lazy matching — each
*matches the shortest possible string.
-
-
Examples:
-
If the full URI is
https://apps.example.com/calendar/admin?expand=true, the expressionwildcard_replace(http.request.full_uri,"https://*.example.com/*/*","https://example.com/${1}/${2}/${3}")returnshttps://example.com/apps/calendar/admin?expand=true. -
If the full URI is
https://example.com/applications/app1, the expressionwildcard_replace(http.request.full_uri,"/applications/*","/apps/${1}")returnshttps://example.com/applications/app1unchanged because the pattern must match the full URI. Usehttp.request.uri.pathfor path-only matching. -
If the URI path is
/calendar, the expressionwildcard_replace(http.request.uri.path,"/*","/apps/${1}")returns/apps/calendar. -
If the URI path is
/Apps/calendar, the expressionwildcard_replace(http.request.uri.path,"/apps/*","/${1}")returns/calendar. The match is case-insensitive by default. -
If the URI path is
/Apps/calendar, the expressionwildcard_replace(http.request.uri.path,"/apps/*","/${1}","s")returns/Apps/calendar. Theflagsparameter is set tosto enable case-sensitive matching. Because the pattern does not match the original URI path, the result is unchanged. -
If the URI path is
/apps/calendar/login, the expressionwildcard_replace(http.request.uri.path,"/apps/*/login","/${1}/login")returns/calendar/login.
-