Parsing Query Functions
LogScale's parsing functions can be used to extract data, or to identify specific data types, such as dates, time or JSON values from events.
Table: Parsing Query Functions
Function | Default Argument | Availability | Description |
---|---|---|---|
base64Decode([as], [charset], field) | field | Performs Base64 decoding of a field. | |
kvParse([as], [excludeEmpty], [field], [override], [separator], [separatorPadding]) | field | Key-value parse events. | |
parseCEF([field], [prefix]) | field | Parses CEF version 0.x encoded messages. | |
parseCsv(columns, [delimiter], [excludeEmpty], field) | field | Parses a CSV-encoded field into known columns. | |
parseFixedWidth(columns, [field], [trim], widths) | field | Parses a fixed width-encoded field into known columns. | |
parseHexString([as], [charset], field) | field | Parses input from hex encoded bytes, decoding resulting bytes as a string. | |
parseInt([as], [endian], field, [radix]) | field | Converts an integer from any radix or base to base-ten, decimal radix. | |
parseJson([exclude], [excludeEmpty], field, [handleNull], [include], [prefix], [removePrefixes]) | field | Parses specified fields as JSON. | |
parseLEEF([delimiter], [field], [parsetime], [prefix], [timezone]) | field | Parses LEEF version 1.0 and 2.0 encoded messages. | |
parseTimestamp([addErrors], [as], [caseSensitive], field, [format], [timezone], [timezoneAs]) | format | Parses a string into a timestamp. | |
parseUrl([as], [field]) | field | Extracts URL components from a field. | |
parseXml(field, [prefix], [strict]) | field | Parses specified field as XML. |