Functions
Use these functions in the Advanced Search interface to perform relatively complex data transformations. The Logs Query Builder does not natively support these functions.
- backshift
-
Shifts a column in a table down by the specified number.
- base64Decode
-
Converts a base64 string into to an ASCII/UTF-8 string.
- base64Encode
-
Converts an ASCII/UTF-8 string to a base64 string.
- compareCIDRPrefix
-
Checks if the network prefixes of two IPv4 addresses match.
- concat
-
Concatenates multiple strings and numbers into a new string.
- decToHex
-
Converts long value to hexadecimal value.
- dedup
-
Removes duplicate results in a table by a set of columns.
- format
-
Returns a formatted string given a format specifier and arguments.
- formatDate
-
Returns a date string given a date, format, and timezone (default UTC).
- getCIDRPrefix
-
Retrieves the network prefix from an IPv4 address.
- hash
-
Hashes data into a string value using the specified hash algorithm.
- hexToAscii
-
Converts hexadecimal string to ASCII value.
- hexToDec
-
Converts hexadecimal string to a long value.
- in
-
Checks if a field is in a set of string values or number values.
- ipv4ToNumber
-
Converts an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format.
- isBlank
-
Checks if a string value is null, empty, or contains only empty characters.
- isEmpty
-
Checks if a string value is an empty string that contains no characters or whitespace.
- isNumeric
-
Checks if a string value can be parsed as a number.
- isPrivateIP
-
Checks if an IPv4 address is private.
- isPublicIP
-
Checks if an IPv4 address is public.
- isValidIP
-
Checks if an IPv4 or IPv6 address is valid.
- len
-
Returns the length of a string.
- luhn
-
Validates credit card numbers in a string value using Luhn’s algorithm.
- maskFromCIDR
-
Returns the subnet mask given a prefix length for IPv4 addresses.
- matches
-
Matches strings using the RE2-compliant regex format.
- now
-
Returns the current epoch time in milliseconds.
- queryEndTime
-
Returns the end time of the search in milliseconds.
- queryStartTime
-
Returns the start time of the search in milliseconds.
- queryTimeRange
-
Returns the time range for the query being executed, in milliseconds.
- replace
-
Replaces all occurrences of a specified string with another string.
- substring
-
Extracts a part of a given string and start/end offsets.
- toBytes
-
Parses a string representation of bytes (KB, MB, GB, and so on) into the number of bytes it represents.
- toDuration
-
Parses a string representation of time (ns, µs, ms, s, m, h) to nanoseconds.
- toFloat
-
Parses a string representation of a number or a number to a float.
- toInt
-
Parses a string representation of a number, or a number to an
int. - toLowerCase
-
Converts all letters of a string to lowercase.
- toUpperCase
-
Converts all letters of a string to uppercase.
- trim
-
Removes starting and trailing empty spaces in a string.
- urlDecode
-
Returns an unescaped URL string.
- urlEncode
-
Encodes a URL into the ASCII character set.
backshift
Shifts a column in a table down by the specified number.
For the views table.
The default shift is 1.
The default alias, when used on the command line, is _backshift.
compareCIDRPrefix
Checks if the network prefixes of two IPv4 addresses match.
- Syntax
-
| compareCIDRPrefix(<ipv4String>, <ipv4String>) as <alias>code - Examples
-
The following example returns K with a value of true.
| compareCIDRPrefix("10.10.1.35", "10.10.1.35", 24) as KcodeThe following example returns K with a value of false.
| compareCIDRPrefix("10.10.1.35", "11.11.2.35", 24) as Kcode
formatDate
Returns a date string given a date, format, and timezone (default UTC).
- Syntax
-
| formatDate(<dateMilliseconds>) as <alias> | formatDate(<dateMilliseconds>, <formatString>) as <alias> | formatDate(<dateMilliseconds>, <formatString>, <timezoneString>) as <alias>code - Examples
-
The following example returns K with a value of
2024-11-06T20:33:37Z.| formatDate(1730925217838) as KcodeThe following example returns K with a value of
11-06-2024.| formatDate(1730925217838, "01-02-2006") as KcodeThe following example returns K with a value of
2024-11-06 12:33:37.| formatDate(1730925217838, "2006-01-02 15:04:05", "America/Los_Angeles") as Kcode
hash
Hashes data into a string value using the specified hash algorithm.
Supported hash algorithms are MD5, SHA1, SHA2, and MurmurHash3.
- Syntax
-
| hash(<field>) as <alias> | hash(<field>, <hashAlgorithm>) as <alias> where <hashAlgorithm> is either md5(default), sha1, sha2_256, or murmur3_128code - Examples
-
The following example returns K with a value of
5eb63bbbe01eeed093cb22bb8f5acdc3.| hash("hello world") as KcodeThe following example returns K with a value of
2aae6c35c94fcfb415dbe95f408b9ce91ee846ed.| hash("hello world", "sha1") as Kcode
in
Checks if a field is in a set of string values or number values.
- Syntax
-
-
where
-
if
| where <field> in (<value_1>[, <value_2>, <value_3>, ...])`code| if(<field> in (<value_1>[, <value_2>, <value_3>, ...]), <value_if_true>, <value_if_false>) as <field>code -
- Examples
-
-
where
-
if
| source="pinot-server" | parse "[*]" as class | where class in ("ServerQueryLogger", "AppInfoParser")code
| source="pinot-server" | parse "[*]" as class | if (class in ("ServerQueryLogger", "AppInfoParser"), "true class", "false class") as myClasscode
-
luhn
Validates credit card numbers in a string value using Luhn’s algorithm.
The operator removes all non-numeric values and checks if the resulting string is a valid credit card number.
matches
Matches strings using the RE2-compliant regex format.
- Syntax
-
-
where
-
if
| where <string expression> matches "<regex>"code| if(<field> matches <regex_pattern>, <value_if_true>, <value_if_false>) as <field>code -
- Examples
-
-
where
-
if
| source="pinot-server" | parse "[*]" as class | where class matches "Server.*"code
| source="pinot-server" | parse "[*]" as class | if (class matches "Server.*", "match found", "match not found") as myClasscode
-
replace
Replaces all occurrences of a specified string with another string.
The specified string can be a literal or regex.
- Syntax
-
| replace(<sourceString>, <searchString>, <replaceString>) as <alias> | replace(<sourceString>, <regexString>, <replaceString>) as <alias>code - Examples
-
The following example returns K with a value of
hello gopher.| replace("hello world", "world", "gopher") as KcodeThe following example returns K with a value of
"http://kloudfuse.com/products//logs".| replace("http://kloudfuse.com/products/12345678/logs", "[0-9]{5,}", "") as Kcode
substring
Extracts a part of a given string and start/end offsets.
If not including an offset, the substring is until the end of the source string.
urlDecode
Returns an unescaped URL string.
- Syntax
-
| urlDecode(<urlString>) as <alias>code - Example
-
The following example returns K with a value of
http://example-server123.org/api/v1/data.php?auth=AbCdEfGhIjKlMnOpQrStUvWxYz123456&;.| urlDecode("http%3A%2F%2Fexample-server123.org%2Fapi%2Fv1%2Fdata.php%3Fauth%3DAbCdEfGhIjKlMnOpQrStUvWxYz123456%26") as Kcode
urlEncode
Encodes a URL into the ASCII character set.
- Syntax
-
| urlDecode(<urlString>) as <alias>code - Example
-
The following example returns
Kwith a value ofhttp%3A%2F%2Fexample-server123.org%2Fapi%2Fv1%2Fdata.php%3Fauth%3DAbCdEfGhIjKlMnOpQrStUvWxYz123456%26.| urlDecode("http://example-server123.org/api/v1/data.php?auth=AbCdEfGhIjKlMnOpQrStUvWxYz123456&") as K.code
