Miscellaneous operators
Use these functions in the Advanced Search interface to perform relatively complex data transformations. The Logs Query Builder does not natively support these functions.
- backshift
-
Shifts a column in a table down by the specified number.
- base64Decode
-
Converts a base64 string into to an ASCII/UTF-8 string.
- base64Encode
-
Converts an ASCII/UTF-8 string to a base64 string.
- compareCIDRPrefix
-
Checks if the network prefixes of two IPv4 addresses match.
- concat
-
Concatenates multiple strings and numbers into a new string.
- decToHex
-
Converts long value to hexadecimal value.
- dedup
-
Removes duplicate results in a table by a set of columns.
- format
-
Returns a formatted string given a format specifier and arguments.
- formatDate
-
Returns a date string given a date, format, and timezone (default UTC).
- getCIDRPrefix
-
Retrieves the network prefix from an IPv4 address.
- hash
-
Hashes data into a string value using the specified hash algorithm.
- hexToAscii
-
Converts hexadecimal string to ASCII value.
- hexToDec
-
Converts hexadecimal string to a long value.
- in
-
Checks if a field is in a set of string values or number values.
- ipv4ToNumber
-
Converts an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format.
- isBlank
-
Checks if a string value is null, empty, or contains only empty characters.
- isEmpty
-
Checks if a string value is an empty string that contains no characters or whitespace.
- isNumeric
-
Checks if a string value can be parsed as a number.
- isPrivateIP
-
Checks if an IPv4 address is private.
- isPublicIP
-
Checks if an IPv4 address is public.
- isValidIP
-
Checks if an IPv4 or IPv6 address is valid.
- len
-
Returns the length of a string.
- luhn
-
Validates credit card numbers in a string value using Luhn’s algorithm.
- maskFromCIDR
-
Returns the subnet mask given a prefix length for IPv4 addresses.
- matches
-
Matches strings using the RE2-compliant regex format.
- now
-
Returns the current epoch time in milliseconds.
- queryEndTime
-
Returns the end time of the search in milliseconds.
- queryStartTime
-
Returns the start time of the search in milliseconds.
- queryTimeRange
-
Returns the time range for the query being executed, in milliseconds.
- replace
-
Replaces all occurrences of a specified string with another string.
- substring
-
Extracts a part of a given string and start/end offsets.
- toBytes
-
Parses a string representation of bytes (KB, MB, GB, and so on) into the number of bytes it represents.
- toDuration
-
Parses a string representation of time (ns, µs, ms, s, m, h) to nanoseconds.
- toFloat
-
Parses a string representation of a number or a number to a float.
- toInt
-
Parses a string representation of a number, or a number to an
int. - toLowerCase
-
Converts all letters of a string to lowercase.
- toUpperCase
-
Converts all letters of a string to uppercase.
- transpose
-
Converts aggregate query results from a long format into a wide, tabular format by pivoting row values into column headers.
- trim
-
Removes starting and trailing empty spaces in a string.
- urlDecode
-
Returns an unescaped URL string.
- urlEncode
-
Encodes a URL into the ASCII character set.
backshift
Shifts a column in a table down by the specified number.
For the views table.
The default shift is 1.
The default alias, when used on the command line, is _backshift.
compareCIDRPrefix
Checks if the network prefixes of two IPv4 addresses match.
- Syntax
-
| compareCIDRPrefix(<ipv4String>, <ipv4String>) as <alias>none - Examples
-
The following example returns K with a value of true.
| compareCIDRPrefix("10.10.1.35", "10.10.1.35", 24) as KnoneThe following example returns K with a value of false.
| compareCIDRPrefix("10.10.1.35", "11.11.2.35", 24) as Knone
formatDate
Returns a date string given a date, format, and timezone (default UTC).
- Syntax
-
| formatDate(<dateMilliseconds>) as <alias> | formatDate(<dateMilliseconds>, <formatString>) as <alias> | formatDate(<dateMilliseconds>, <formatString>, <timezoneString>) as <alias>none - Examples
-
The following example returns K with a value of
2024-11-06 20:33:37.| formatDate(1730925217838) as KnoneThe following example returns K with a value of
2024-11-06.| formatDate(1730925217838, "YYYY-MM-dd") as KnoneThe following example returns K with a value of
2024-11-06 12:33:37.838 PM.| formatDate(1730925217838, "yyyy-MM-dd hh:mm:ss.SSS a", "America/Los_Angeles") as Knone
hash
Hashes data into a string value using the specified hash algorithm.
Supported hash algorithms are MD5, SHA1, SHA2, and MurmurHash3.
- Syntax
-
| hash(<field>) as <alias> | hash(<field>, <hashAlgorithm>) as <alias> where <hashAlgorithm> is either md5(default), sha1, sha2_256, or murmur3_128none - Examples
-
The following example returns K with a value of
5eb63bbbe01eeed093cb22bb8f5acdc3.| hash("hello world") as KnoneThe following example returns K with a value of
2aae6c35c94fcfb415dbe95f408b9ce91ee846ed.| hash("hello world", "sha1") as Knone
in
Checks if a field is in a set of string values or number values.
- Syntax
-
-
where
-
if
| where <field> in (<value_1>[, <value_2>, <value_3>, ...])`none| if(<field> in (<value_1>[, <value_2>, <value_3>, ...]), <value_if_true>, <value_if_false>) as <field>none -
- Examples
-
-
where
-
if
| source="pinot-server" | parse "[*]" as class | where class in ("ServerQueryLogger", "AppInfoParser")none
| source="pinot-server" | parse "[*]" as class | if (class in ("ServerQueryLogger", "AppInfoParser"), "true class", "false class") as myClassnone
-
luhn
Validates credit card numbers in a string value using Luhn’s algorithm.
The operator removes all non-numeric values and checks if the resulting string is a valid credit card number.
matches
Matches strings using the RE2-compliant regex format.
- Syntax
-
-
where
-
if
| where <string expression> matches "<regex>"none| if(<field> matches <regex_pattern>, <value_if_true>, <value_if_false>) as <field>none -
- Examples
-
-
where
-
if
| source="pinot-server" | parse "[*]" as class | where class matches "Server.*"none
| source="pinot-server" | parse "[*]" as class | if (class matches "Server.*", "match found", "match not found") as myClassnone
-
replace
Replaces all occurrences of a specified string with another string.
The specified string can be a literal or regex.
- Syntax
-
| replace(<sourceString>, <searchString>, <replaceString>) as <alias> | replace(<sourceString>, <regexString>, <replaceString>) as <alias>none - Examples
-
The following example returns K with a value of
hello gopher.| replace("hello world", "world", "gopher") as KnoneThe following example returns K with a value of
"http://kloudfuse.com/products//logs".| replace("http://kloudfuse.com/products/12345678/logs", "[0-9]{5,}", "") as Knone
substring
Extracts a part of a given string and start/end offsets.
If not including an offset, the substring is until the end of the source string.
transpose
Converts aggregate query results from a long format into a wide, tabular format by pivoting row values into column headers.
Similar to a pivot table in Excel, the transpose operator transforms query results from a long list format into a wide table format in the Aggregates tab. You specify which fields define the rows and which define the columns.
The transpose operator dynamically creates columns for aggregate search results, allowing you to design queries without knowing the output schema in advance. This is particularly useful for formatting data for dashboard panels and charts.
- Syntax
-
| transpose row <row_field1>[, <row_field2>, ...] column <column_field1>[, <column_field2>, ...]none - Examples
-
Without transpose, the following query produces a long-format table that is difficult to read:
source="pinot-server" | timeslice 5m | count by _timeslice, status_codenoneWith transpose, you can pivot the results to display status codes as columns and timeslices as rows:
source="pinot-server" | timeslice 5m | count by _timeslice, status_code | transpose row _timeslice column status_codenoneThis transforms the data into an easy-to-read table where each status code becomes its own column, with counts displayed across time intervals.
The transpose operator supports multiple aggregate functions. When using multiple aggregates (e.g., count and avg), each combination of column values will generate separate columns for each aggregate:
source="pinot-server" | timeslice 5m | count as request_count, avg(response_time) as avg_response by _timeslice, status_code | transpose row _timeslice column status_codenoneThis creates columns like
request_count|200,avg_response|200,request_count|404,avg_response|404, etc.
urlDecode
Returns an unescaped URL string.
- Syntax
-
| urlDecode(<urlString>) as <alias>none - Example
-
The following example returns K with a value of
http://example-server123.org/api/v1/data.php?auth=AbCdEfGhIjKlMnOpQrStUvWxYz123456&;.| urlDecode("http%3A%2F%2Fexample-server123.org%2Fapi%2Fv1%2Fdata.php%3Fauth%3DAbCdEfGhIjKlMnOpQrStUvWxYz123456%26") as Knone
urlEncode
Encodes a URL into the ASCII character set.
- Syntax
-
| urlDecode(<urlString>) as <alias>none - Example
-
The following example returns
Kwith a value ofhttp%3A%2F%2Fexample-server123.org%2Fapi%2Fv1%2Fdata.php%3Fauth%3DAbCdEfGhIjKlMnOpQrStUvWxYz123456%26.| urlDecode("http://example-server123.org/api/v1/data.php?auth=AbCdEfGhIjKlMnOpQrStUvWxYz123456&") as K.none
