Event & Data Manipulation Query Functions

LogScale's query functions take a set of events, parameters, or configurations; and produce, reduce, or modify values within that set, or within the events themselves within the query pipeline.

Table: Event & Data Manipulation Query Functions

FunctionImplied ArgumentAvailabilityDescription
array:contains(array, value)arrayintroduced in 1.62Checks whether the given value matches any of the values of the array and excludes the event if no value matches
array:filter(array, [as], function, var)arrayintroduced in 1.39Drops entries from the input array using the given filtering function.
array:reduceAll(array, function, var)arrayintroduced in 1.39Computes a value from all events and array elements of the specified array.
array:reduceColumn(array, [as], function, var)arrayintroduced in 1.39Computes an aggregate value for each array element with the same index.
array:union(array, [as])arrayintroduced in 1.39Determines the set union of array values over input events.
concat([as], field)field Concatenates the values of a list of fields into a value in a new field.
concatArray([as], field, [from], [prefix], [separator], [suffix], [to])field Concatenates values of all fields with same name and an array suffix into a new field.
format([as], field, format, [timezone])format Formats a string using printf-style.
hashRewrite([as], [bits], field, [hash], [replaceInRawstring], salt)field Calculates a secure hash of a field for storing in the event.
json:prettyPrint([as], [field], [step], [strict])field Nicer output to a JSON field.
lowercase(field, [include], [locale])field Changes field name or content to lowercase for parsers.
parseCEF([field], [prefix])field Parses CEF version 0.x encoded messages.
parseCsv(columns, [delimiter], [excludeEmpty], field)field Parses a CSV-encoded field into known columns.
parseHexString([as], [charset], field)field Parses input from hex encoded bytes, decoding resulting bytes as a string.
parseJson([exclude], field, [include], [prefix], [removePrefixes])field Parses specified fields as JSON.
parseLEEF([delimiter], [field], [parsetime], [prefix], [timezone])field Parses LEEF version 1.0 and 2.0 encoded messages.
rename(as, field)field Renames a given field.
replace([as], [field], [flags], regex, [replacement], [with])field Replaces each substring that matches given regular expression with given replacement.
sankey(source, target, [weight])sankey Produces data compatible with Sankey widget.
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch])collect Collects a series of values for selected fields from multiple events into one or more events.
split([field], [strip])field Splits an event structure created by a JSON array into distinct events.
splitString([as], by, [field], [index])field Splits a string by specifying a regular expression by which to split.
stripAnsiCodes([as], field, [type])field Removes ANSI color codes and movement commands.
transpose([column], [header], [limit], [pivot])pivot Transposes a query results set by creating an event for each attribute.
unit:convert([as], [binary], field, [from], [keepUnit], [to], [unit])field Converts values between different units.
upper([as], field, [locale])field Changes contents of a string field to upper-case letters.
urlEncode([as], field, [type])field URL-encodes the contents of a string field.
writeJson([as], [field])field Writes data, including fields, as a JSON object.
xml:prettyPrint([as], field, [step], [strict], [width])field Nicer output to an XML field.