Hortonworks Cybersecurity Platform
Also available as:

Introduction to Stellar Language

For a variety of components (threat intelligence triage and field transformations) we need to perform simple computation and transformation using the data from messages as variables. For those purposes, there exists a simple, scaled down DSL created to do simple computation and transformation.

The Stellar query language supports the following:

  • Referencing fields in the enriched JSON

  • String literals are quoted with either ' or "

  • String literals support escaping for ', ", \t, \r, \n, and backslash
    • The literal '\'foo\'' would represent 'foo'

    • The literal "\"foo\"" would represent "foo"

    • The literal 'foo \\ bar' would represent foo \ bar

  • Simple boolean operations: and, not, or

  • Simple arithmetic operations: *, /, +, - on real numbers or integers

  • Simple comparison operations <, >, <=, >=

  • Simple equality comparison operations ==, !=

  • if/then/else comparisons (for example, if var1 < 10 then 'less than 10' else '10 or more')

  • Simple match evaluations (for example, match{ var1 < 10 => 'warn', var1 >= 10 => 'critical', default => 'info'}

  • Determining whether a field exists (via exists)

  • An in operator that works like the in in Python

  • The ability to have parenthesis to make order of operations explicit

  • User defined functions, including Lambda expressions