Parsing Query Functions

LogScale's parsing functions can be used to extract data, or to identify specific data types, such as dates, time or JSON values from events.

Table: Parsing Query Functions

FunctionDefault ArgumentAvailabilityDescription
base64Decode([as], [charset], field)field  Performs Base64 decoding of a field.
kvParse([as], [excludeEmpty], [field], [onDuplicate], [override], [separator], [separatorPadding])field  Key-value parse events.
parseCEF([field], [headerprefix], [keeplabels], [labelprefix], [prefix])field  Parses CEF version 0.x encoded messages.
parseCsv(columns, [delimiter], [excludeEmpty], field, [trim])field  Parses a CSV-encoded field into known columns.
parseFixedWidth(columns, [field], [trim], widths)field  Parses a fixed width-encoded field into known columns.
parseHexString([as], [charset], field)field  Parses input from hex encoded bytes, decoding resulting bytes as a string.
parseInt([as], [endian], field, [radix])field  Converts an integer from any radix or base to base-ten, decimal radix.
parseJson([exclude], [excludeEmpty], field, [handleNull], [include], [prefix], [removePrefixes])field  Parses specified fields as JSON.
parseLEEF([delimiter], [field], [headerprefix], [keeplabels], [labelprefix], [parsetime], [prefix], [timezone])field  Parses LEEF version 1.0 and 2.0 encoded messages.
parseTimestamp([addErrors], [as], [caseSensitive], field, [format], [timezone], [timezoneAs])format  Parses a string into a timestamp.
parseUri([defaultBase], field, [prefix])field  Extracts URI components from a field.
parseUrl([as], [field])field  Extracts URL components from a field.
parseXml(field, [prefix], [strict])field  Parses specified field as XML.