Event & Data Manipulation Query Functions

LogScale's event and data manipulation functions allow event creation, modification and data manipulation of events and fields within the event.

Table: Event & Data Manipulation Query Functions

FunctionDefault ArgumentAvailabilityDescription
array:contains(array, value)array  Checks whether the given value matches any of the values of the array and excludes the event if no value matches
array:filter(array, function, var)array  Drops entries from the input array using the given filtering function.
array:reduceColumn(array, [as], function, var)array  Computes an aggregate value for each array element with the same index.
array:union(array, [as])array  Determines the set union of array values over input events.
concat([as], field)field  Concatenates the values of a list of fields into a value in a new field.
concatArray([as], field, [from], [prefix], [separator], [suffix], [to])field  Concatenates values of all fields with same name and an array suffix into a new field.
eval()   Creates a new field by evaluating the provided expression.
format([as], field, format, [timezone])format  Formats a string using printf-style.
json:prettyPrint([as], [field], [step], [strict])field  Nicer output to a JSON field.
lowercase(field, [include], [locale])field  Changes field name or content to lowercase for parsers.
parseCEF([field], [prefix])field  Parses CEF version 0.x encoded messages.
parseCsv(columns, [delimiter], [excludeEmpty], field)field  Parses a CSV-encoded field into known columns.
parseHexString([as], [charset], field)field  Parses input from hex encoded bytes, decoding resulting bytes as a string.
parseJson([exclude], [excludeEmpty], field, [handleNull], [include], [prefix], [removePrefixes])field  Parses specified fields as JSON.
parseLEEF([delimiter], [field], [parsetime], [prefix], [timezone])field  Parses LEEF version 1.0 and 2.0 encoded messages.
rename([as], field)field  Renames one or more given fields.
replace([as], [field], [flags], regex, [replacement], [with])regex  Replaces each substring that matches given regular expression with given replacement.
sankey(source, target, [weight])   Produces data compatible with Sankey widget.
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch])collect  Collects a series of values for selected fields from multiple events into one or more events.
split([field], [strip])field  Splits an event structure created by a JSON array into distinct events.
splitString([as], by, [field], [index])field  Splits a string by specifying a regular expression by which to split.
stripAnsiCodes([as], field)field  Removes ANSI color codes and movement commands.
transpose([column], [header], [limit], [pivot])pivot  Transposes a query results set by creating an event for each attribute.
unit:convert([as], [binary], field, [from], [keepUnit], [to], [unit])field  Converts values between different units.
upper([as], field, [locale])field  Changes contents of a string field to upper-case letters.
urlEncode([as], field, [type])field  URL-encodes the contents of a string field.
writeJson([as], [field])field  Writes data, including fields, as a JSON object.
xml:prettyPrint([as], field, [step], [strict], [width])field  Nicer output to an XML field.