Query Functions

LogScale query functions take a set of events, parameters, or configurations. They produce, reduce, or modify values within that set, or in the events themselves within a query pipeline.

The Query Functions table is an alphabetical listing of all LogScale query functions:

Table: Query Functions

FunctionTypeDefault ArgumentAvailabilityDescription
accumulate([current], function)aggregate, data-manipulation, sequencefunction  Applies an aggregation function cumulatively to a sequence of events.
array:append(array, values)array, data-manipulationarray  Appends single or multiple values to an array, or creates a new array if it does not already exist.
array:contains(array, value)array, data-manipulation, filterarray  Checks whether the given value matches any of the values of the array and excludes the event if no value matches.
array:dedup(array, [asArray])array, data-manipulationarray  array:dedup() removes duplicate elements from an array. The ordering of the first occurrence of each unique element is preserved.
array:drop(array)arrayarray  Takes the name of an array and drops all fields of this array.
array:eval(array, [asArray], function, [var])arrayarray  Evaluates the function argument on all values in the array under the array argument overwriting the array.
array:exists(array, condition, [var])array, data-manipulation, filterarray  Filters events based on whether the given array contains an element that satisfies a given condition (based on the array argument). Recommended for flat arrays. Does not work on nested arrays — use objectArray:exists() instead.
array:filter(array, [asArray], function, [var])array, data-manipulation, filterarray  Drops entries from the input array using the given filtering function.
array:length(array, [as])array, array-lengtharray  Counts the number of elements in a flat array.
array:reduceAll(array, function, var)aggregate, array, data-manipulationarray  Computes a value from all events and array elements of the specified array.
array:regex(array, [flags], regex)array, filter, regular-expressionarray  Checks whether the given pattern matches any of the values of the array and excludes the event from the search result.
array:rename(array, asArray)array, data-manipulationarray  Takes the name of an array and renames all fields of this array.
array:sort(array, [asArray], [order], [type])array, data-manipulationarray  Sorts the elements of an array of values using the given sorting data type and order.
asn([as], [field])networkfield  Determines autonomous system number and organization associated.
avg([as], field)aggregate, statisticsfield  Calculates the average for a field of a set of events.
base64Decode([as], [charset], field)parsingfield  Performs Base64 decoding of a field.
base64Encode([as], field)parsingfield  Performs Base64 encoding of a field.
bitfield:extractFlags(field, [onlyTrue], output)data-manipulation   Interprets an integer as a bit field and extracts the specified flags.
bitfield:extractFlagsAsArray([asArray], field, flagNames)data-manipulation   Interprets an integer as a bit field and extracts the specified flags. Information is returned as an array, listed in ascending order, from lowest bit to highest bit.
bitfield:extractFlagsAsString([as], field, flagNames, [separator])data-manipulation   Interprets an integer as a bit field and extracts the specified flags. Information is returned as a string, listed in ascending order, from lowest bit to highest bit.
bucket([buckets], [field], [function], [limit], [minSpan], [span], [timezone], [unit])aggregatespan  Extends the groupBy() function for grouping by time.
callFunction([as], field, function)aggregatefunction  Calls the named function on a field over a set of events.
cidr([column], field, [file], [negate], [subnet])filter, networkfield  Filters events using CIDR subnets.
coalesce([as], expressions, [ignoreEmpty])data-manipulationexpressions  Selects the value of the first expression from a list of expressions
collect(fields, [limit], [multival], [separator])aggregatefields  Collects fields from multiple events into one event.
communityId([as], destinationip, [destinationport], [icmpcode], [icmptype], proto, [seed], sourceip, [sourceport])network   Computes the Community ID, a standard for hashing network flows.
concat([as], field)data-manipulation, stringfield  Concatenates the values of a list of fields into a value in a new field.
concatArray([as], field, [from], [prefix], [separator], [suffix], [to])array, data-manipulation, stringfield  Concatenates values of all fields with same name and an array suffix into a new field.
copyEvent(type)data-manipulation, eventtype  Duplicates an event so that the pipeline will see both events.
correlate(globalConstraints, includeConstraintValues, includeMatchesOnceOnly, iterationLimit, jitterTolerance, maxPerRoot, query, root, sequence, sequenceBy, within)aggregatequery  Correlates data by uniting multiple queries
count([as], [distinct], [field])aggregate, statisticsfield  Counts given events.
counterAsRate([as], field)aggregatefield  Calculates the rate for a counter field.
createEvents(rawstring)aggregate-testing, eventrawstring  Generates temporary events as part of the query.
crypto:md5([as], field)hashfield  Computes a cryptographic MD5-hashing of an input string.
crypto:sha1([as], field)hashfield  Computes a cryptographic SHA1-hashing of an input string.
crypto:sha256([as], field)hashfield  Computes a cryptographic SHA256-hashing of an input string.
default(field, [replaceEmpty], value)event, formatvalue  Creates a field to given parameter and given value.
defineTable([end], include, name, query, [start], [view])join, preamblequery  Runs a subquery to generate an in-memory table, then the table results are passed to a primary query to perform join-like operations.
drop(fields)data-manipulation, eventfields  Removes specified fields from each event.
dropEvent()data-manipulation, event   Drops completely an event in parser pipeline to stop it from being ingested.
duration([as], duration)time-dateduration  Computes the number of milliseconds denoted by a human-readable specification.
end([as])time-dateas  Assign the end of the search time interval to the field provided by parameter as.
eval()data-manipulation   Creates a new field by evaluating the provided expression.
eventFieldCount([as])event   Computes number of fields event uses internally for the values.
eventInternals([prefix])event   Add a set of fields describing the storage locations of this event.
eventSize([as])event   Determines the number of bytes that this event uses internally for the values, not counting the bytes for storing the field names.
fieldset()event   Retrieves a list of available fields.
fieldstats([limit])aggregate, event   Displays statistics about fields.
findTimestamp([addErrors], [as], [field], [timezone], [timezoneAs], [timezoneField])time-date   Finds timestamp in given field and parses, trying multiple timestamp formats.
format([as], field, format, [timezone])data-manipulation, formatformat  Formats a string using printf-style.
formatDuration([as], field, [from], [precision])format, time-datefield  Formats a duration into a more readable string.
formatTime(as, [field], format, [locale], [timezone], [unit])formatformat  Formats a string according to strftime().
geography:distance([as], lat1, lat2, lon1, lon2)geolocation   Calculates the distance between two geographical coordinates along an ideal earth surface.
geohash([as], [lat], [lon], [precision])geolocation   Calculates a geohash value given two fields representing latitude and longitude.
getField([as], source)data-manipulation   Reads dynamically-named fields that are computed from an expression.
groupBy(field, [function], [limit])aggregatefield  Groups events by specified fields and executes aggregate functions on each group.
hash([as], field, [limit], [seed])event, hashfield  Computes a non-cryptographic hash of a list of fields.
hashMatch([bits], [field], [hash], input, salt)securityinput  Calculates a secure hash of a field and uses it to match events as a filter.
hashRewrite([as], [bits], field, [hash], [replaceInRawstring], salt)securityfield  Calculates a secure hash of a field for storing in the event.
head([limit])aggregatelimit  Returns the oldest events from an event stream.
if([as], condition, else, then)conditioncondition  Computes a value in one of two ways (evaluates one of two expressions).
in(field, [ignoreCase], values)comparison, filterfield  Filters records by values where field is in given values.
ioc:lookup([confidenceThreshold], field, [include], [prefix], [strict], type)securityfield  Look up IOCs (Indicators of Compromise).
ipLocation([as], [field])geolocation, networkfield  Determines country, city, longitude, and latitude for given IP address.
join([end], field, [include], [key], [limit], [live], [max], [mode], query, [repo], [start], [view])joinquery  Join two LogScale searches.
json:prettyPrint([as], [field], [step], [strict])data-manipulation, formatfield  More readable output to a JSON field.
kvParse([as], [excludeEmpty], [field], [onDuplicate], [override], [prefix], [separator], [separatorPadding])parsingfield  Key-value parse events.
length([as], field)stringfield  Computes the number of characters in a string field.
linReg([prefix], x, y)aggregate   Computes linear relationship model between two variables using least-squares fitting.
lower([as], field, [locale], [type])formatfield  Changes text of a given string field to lower case letters.
lowercase(field, [include], [locale])data-manipulation, format, stringfield  Changes field name or content to lowercase for parsers.
match([column], field, file, [glob], [ignoreCase], [include], [mode], [nrows], [strict])filterfile  Searches text using a CSV or JSON file and can enhance entries.
math:abs([as], field)mathfield  Calculates the absolute value of a field; the result is always a positive number or 0.
math:arccos([as], field)mathfield  Calculates the arc cosine of a field.
math:arcsin([as], field)mathfield  Calculates the arc sine of a field.
math:arctan([as], field)mathfield  Calculates the arc tangent of a value.
math:arctan2([as], x, y)math   Calculates the arc tangent of a value.
math:ceil([as], field)mathfield  Rounds field value to smallest integer that's larger than or equal to it.
math:cos([as], field)mathfield  Calculates the cosine of a field.
math:cosh([as], field)math   Computes the hyperbolic cosine of a double field.
math:deg2rad([as], field)mathfield  Converts angles from degrees to radians.
math:exp([as], field)mathfield  Calculates Euler's number e raised to the power of a double value in a field.
math:expm1([as], field)mathfield  Calculates the exponential value of a number minus 1.
math:floor([as], field)mathfield  Computes the largest integer value not greater than the field value given.
math:log([as], field)mathfield  Calculates the natural logarithm (base e) of the value in a double field.
math:log10([as], field)mathfield  Calculates the base 10 logarithm of a double field.
math:log1p([as], field)mathfield  Calculates the natural logarithm of the sum of field's value and 1.
math:log2([as], field)mathfield  Calculates the base 2 logarithm of a double field.
math:mod([as], divisor, field)mathfield  Calculates the floor modulus of field value and the divisor.
math:pow([as], exponent, field)mathfield  Calculates the field value to the exponent power.
math:rad2deg([as], field)mathfield  Converts angles from radians to degrees.
math:sin([as], field)mathfield  Calculates the sine of a field.
math:sinh([as], field)mathfield  Calculates the hyperbolic sine of a double field.
math:sqrt([as], field)mathfield  Calculates the rounded positive square root of a double field.
math:tan([as], field)mathfield  Calculates the trigonometric tangent of an angle in a field.
math:tanh([as], field)mathfield  Calculates the hyperbolic tangent of a field.
max([as], field)aggregate, statisticsfield  Finds the largest number for the specified field over a set of events.
min([as], field)aggregate, statisticsfield  Finds the smallest number for the specified field over a set of events.
neighbor([direction], [distance], include, [prefix])aggregate, data-manipulation, sequenceinclude  Allows access to fields from a single neighboring event in a sequence.
now([as])time-dateas  Assign the current time to the field provided by parameter as.
objectArray:eval(array, asArray, function, [var])array, nested-arrayarray  Maps over an array of objects and outputs a new array of the mapped values.
objectArray:exists(array, condition, [var])array, nested arrayarray  Filters events based on whether the given array contains an element that satisfies a given condition (based on the array argument). Recommended for nested arrays.
parseCEF([field], [headerprefix], [keeplabels], [labelprefix], [prefix])data-manipulation, parsingfield  Parses CEF version 0.x encoded messages.
parseCsv(columns, [delimiter], [excludeEmpty], field, [trim])data-manipulation, parsingfield  Parses a CSV-encoded field into known columns.
parseFixedWidth(columns, [field], [trim], widths)parsingfield  Parses a fixed width-encoded field into known columns.
parseHexString([as], [charset], field)data-manipulation, math, parsingfield  Parses input from hex encoded bytes, decoding resulting bytes as a string.
parseInt([as], [endian], field, [radix])math, parsingfield  Converts an integer from any radix or base to base-ten, decimal radix.
parseJson([exclude], [excludeEmpty], field, [handleNull], [include], [prefix], [removePrefixes])data-manipulation, parsingfield  Parses specified fields as JSON.
parseLEEF([delimiter], [field], [headerprefix], [keeplabels], [labelprefix], [parsetime], [prefix], [timezone])data-manipulation, parsingfield  Parses LEEF version 1.0 and 2.0 encoded messages.
parseTimestamp([addErrors], [as], [caseSensitive], field, [format], [timezone], [timezoneAs], [timezoneField])parsing, time-dateformat  Parses a string into a timestamp.
parseUri([defaultBase], field, [prefix])parsingfield  Extracts URI components from a field.
parseUrl([as], [field])parsingfield  Extracts URL components from a field.
parseXml(field, [prefix], [strict])parsingfield  Parses specified field as XML.
partition(condition, function, [split])aggregate, data-manipulation, sequencefunction  Splits a sequence of events into multiple partitions based on a condition.
percentage([as], condition)aggregatecondition  Calculates what portion of events meet specified conditions.
percentile([accuracy], [as], field, [percentiles])aggregate, statisticsfield  Finds one event with a field for each percentile specified.
range([as], field)aggregate, statisticsfield  Finds numeric range between smallest and largest numbers for field over a set of events.
rdns([as], field, [limit], [server])aggregate, networkfield  Events using RDNS lookup.
readFile(file, [include], [limit])data-manipulation, eventfile  Uses a .csv lookup file or ad-hoc table as data input for the query.
regex([field], [flags], [limit], regex, [repeat], [strict])filter, regular-expression, stringregex  Extracts new fields using a regular expression.
rename([as], field)data-manipulation, eventfield  Renames one or more given fields.
replace([as], [field], [flags], regex, [replacement], [with])data-manipulation, regular-expression, stringregex  Replaces each substring that matches given regular expression with given replacement.
reverseDns([as], field, [limit], [server])transformationfield  Performs reverse DNS lookups.
round([as], field, [how])mathfield  Rounds an input field up or down, depending on which is nearest.
sample([field], [percentage])filter, statisticspercentage  Samples the event stream.
sankey(source, target, [weight])aggregate, data-manipulation, widget   Produces data compatible with Sankey widget.
select(fields)eventfields  Used to specify a set of fields to select from each event.
selectFromMax(field, include)aggregatefield  Selects event with the largest value for the specified field.
selectFromMin(field, include)aggregatefield  Selects event with the smallest value for the specified field.
selectLast(fields)aggregatefields  Specify fields to select from events, keeping value of most recent event for each field.
selfJoin([collect], field, [limit], [postfilter], [prefilter], [select], where)joinfield  Used to collate data from events that share a key.
selfJoinFilter(field, [prefilter], where)filter, joinfield  Runs query to determine IDs, and then gets all events containing one of them.
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch])aggregate, data-manipulationcollect  Collects a series of values for selected fields from multiple events into one or more events.
session([function], [maxpause])aggregate, statisticsfunction  Collects events into sessions, and aggregates them.
setField(target, value)data-manipulation   Sets fields whose names are not known but computed from an expression.
setTimeInterval([end], start, [timezone])preamble, time-datestart  Sets the query time interval (overriding the setting in the API or UI)
shannonEntropy([as], field)networkfield  Calculates a entropy measure from a string of characters.
slidingTimeWindow([current], function, span, [timestampfield])aggregate, data-manipulation, sequencefunction  Applies an aggregation to a moving time-based window of events in a sequence.
slidingWindow([current], events, function)aggregate, data-manipulation, sequencefunction  Applies an aggregation to a moving window of a specified number of events in a sequence.
sort([field], [limit], [order], [reverse], [type])aggregatefield  Sorts events by their fields.
split([field], [strip])array, data-manipulationfield  Splits an event structure created by a JSON array into distinct events.
splitString([as], by, [field], [index])array, data-manipulation, regular-expression, stringfield  Splits a string by specifying a regular expression by which to split.
start([as])time-dateas  Assign the start of the search time interval to the field provided by parameter as.
stats([function])aggregate, statisticsfunction  Used to compute multiple aggregate functions over the input.
stdDev([as], field)aggregate, statisticsfield  Calculates the standard deviation for a field over a set of events.
stripAnsiCodes([as], field)data-manipulation, stringfield  Removes ANSI color codes and movement commands.
subnet([as], bits, field)networkfield  Computes a subnet from a IPV4 field.
sum([as], field)aggregatefield  Calculates the sum for a field over a set of events.
table(fields, [limit], [order], [reverse], [sortby], [type])aggregate, widgetfields  Used to create a widget to present the data in a table.
tail([limit])aggregatelimit  Returns the newest events from an event stream.
test(expression)comparison, event, filterexpression  Evaluates boolean expression and filters events.
text:contains(string, substring)data-manipulation, filterstring  Tests if a specific substring is present within a given string.
text:endsWith(string, substring)data-manipulation, filterstring  Tests if a specific substring is present at the end of a given string.
text:length([as], string)data-manipulation, stringstringadded in 1.207 Computes the length of a string.
text:positionOf([as], [begin], character, [occurrence], string)data-manipulation, stringstringadded in 1.207 Computes the position of a given character or substring within a string.
text:startsWith(string, substring)data-manipulation, filterstring  Tests if a specific substring is present at the start of a given string.
text:substring([as], [begin], [end], string)data-manipulation, stringstringadded in 1.207 Extracts a substring from a string given a pair of positions into the string.
time:dayOfMonth([as], [field], [timezone], [timezoneField])time-datefield  Gets the day of the month of a timestamp field.
time:dayOfWeek([as], field, [timezone], [timezoneField])time-datefield  Gets day of week from 1 (Mon) to 7 (Sun) of a timestamp.
time:dayOfWeekName([as], [field], [timezone], [timezoneField])time-datefield  Gets the English display name of day of the week of a timestamp field.
time:dayOfYear([as], [field], [timezone], [timezoneField])time-datefield  Gets the day of the year of a timestamp field, from 1 to 365, or 366 in a leap year.
time:hour([as], [field], [timezone], [timezoneField])time-datefield  Gets the hour (24-hour clock) of a timestamp field.
time:millisecond([as], [field], [timezone], [timezoneField])time-datefield  Gets the millisecond of a timestamp field.
time:minute([as], [field], [timezone], [timezoneField])time-datefield  Gets the minute value of a timestamp field.
time:month([as], [field], [timezone], [timezoneField])time-datefield  Gets the month of a timestamp field (from 1 to 12).
time:monthName([as], [field], [timezone], [timezoneField])time-datefield  Gets the English name of month of a timestamp field (for example, January).
time:second([as], [field], [timezone], [timezoneField])time-datefield  Gets the second of a timestamp field.
time:weekOfYear([as], [field], [timezone], [timezoneField])time-datefield  Gets the week number within a year of a timestamp, a value from 1 to 53.
time:year([as], [field], [timezone], [timezoneField])time-datefield  Gets the year of a timestamp field.
timeChart([buckets], [function], [limit], [minSpan], [series], [span], [timezone], [unit])aggregate, widgetseries  Used to draw a linechart where the x-axis is time.
tokenHash([as], field)hash, stringfield  Calculates a hash by tokenizing the input string (split by spaces), creating a hash for each token and then added the result together. This generates the same hash value, even if the order of the individual values in the source string is different.
top([as], [error], field, [limit], [max], [percent], [rest], [sum])aggregatefield  Finds the top results based on a given field.
transpose([column], [header], [limit], [pivot])aggregate, data-manipulationpivot  Transposes a query results set by creating an event for each attribute.
unit:convert([as], [binary], field, [from], [keepUnit], [to], [unit])data-manipulation, mathfield  Converts values between different units.
upper([as], field, [locale])data-manipulation, formatfield  Changes contents of a string field to upper case letters.
urlDecode([as], field)data-manipulation, format, networkfield  URL-decodes the contents of a string field.
urlEncode([as], field, [type])data-manipulation, format, networkfield  URL encodes the contents of a string field.
wildcard([field], [ignoreCase], [includeEverythingOnAsterisk], pattern)filterpattern  Performs a wildcard pattern search with optional case insensitivity.
window([buckets], [function], [span])aggregatefunction  Computes aggregate functions over a sliding window of data.
worldMap([ip], [lat], [lon], [magnitude], [precision])aggregate, widget   Used to produce data compatible with the World Map widget.
writeJson([as], [field])data-manipulation, formatfield  Writes data, including fields, as a JSON object.
xml:prettyPrint([as], field, [step], [strict], [width])data-manipulationfield  Nicer output to an XML field.