Functions

A list of example query functions.

coalesce

Usage: coalesce(<field1>,<field2>,...)

Description: Takes a list of fields and literals and returns the first non-empty value.

Examples:

nodes | select coalesce(label,name,"fallback")

concat

Usage: concat(<field1>,<field2>,...)

Description: Returns the concatenations of a list of fields and literals interpreted as strings.

Examples:

nodes | select concat(label,"/",name)

days_ago

Usage: days_ago(<field|number>)

Description: Returns the difference in days between the timestamp field and the time of execution of the query. In the where clause the days_ago(number) syntax gives the best query performance.

Examples:

alerts | select days_ago(time)
alerts | where days_ago(time) < 20
alerts | where time >= days_ago(20)

dist

Usage: dist(<field1>,<field2>)

Description: Returns the difference between field1 and field2. The fields can also be literals.

Examples:

nodes | select dist(sent.bytes,received.bytes)

div

Usage: div(<field1>,<field2>)

Description: Returns the result of the arithmetic division of field1 by field2. The fields can also be literals.

Examples:

nodes | select div(last_activity_time,"1000")

floor

Usage: floor(<field>)

Description: Returns the greatest integer less than or equal to the provided field.

Examples:

alerts | reduce risk avg | select floor(risk_avg)
assets | select div(risk, "10") | select floor(div)

format_time

Usage: format_time(<time_field>, [format_string])

Description: Returns a string representation of the time field formatted according to the format string or the default formatting string ('YYYY-MM-DD HH24:MI:SS') if none is specified. Accepted format patterns are:
  • YYYY: year, 4 digits
  • MM: month number, 2 digits
  • DD: day of month, 2 digits
  • HH12: hour of day, 01-12
  • HH24: hour of day, 00-23
  • MI: minute, 00-59
  • SS: second, 00-59

Characters that can be used as separators are: -, :, whitespace

Examples:

sessions | select format_time(last_activity_time)
sessions | where last_activity_time > days_ago(7) | select format_time(last_activity_time, "YYYY-MM-DD") | group_by formatted

hours_ago

Usage: hours_ago(<field|number>)

Description: Returns the difference in seconds between the timestamp field and the time of execution of the query. In the where clause the hours_ago(<number>) syntax gives the best query performance.

Examples:

alerts | select hours_ago(time)
alerts | where hours_ago(time) < 20
alerts | where time >= hours_ago(20)

ipv4

Usage: ipv4(<field>)

Description: Returns a non-empty value if the field argument is an IPv4.

Examples:

nodes | select ipv4(ip)
nodes | where ipv4(ip) != ""

ipv6

Usage: ipv6(<field>)

Description: Returns a non-empty value if the field argument is an IPv6.

Examples:

nodes | select ipv6(ip)
nodes | where ipv6(ip) != ""

is_empty

Usage: is_empty(<field>)

Description: Returns true if the field is an empty string or array, false otherwise.

Examples:

nodes | where !is_empty(label)
nodes | select protocols is_empty(protocols)

is_recent

Usage: is_recent(<field>)

Description: Returns true if field represents a time in the last 30 minutes, false otherwise.

Examples:

alerts | where is_recent(time)

minutes_ago

Usage: minutes_ago(<field|number>)

Description: Returns the difference in minutes between the timestamp field and the time of execution of the query. In the where clause the minutes_ago(<number>) syntax gives the best query performance.

Examples:

alerts | select minutes_ago(time)
alerts | where minutes_ago(time) < 20
alerts | where time >= minutes_ago(20)

mult

Usage: mult(<field1>,<field2>,...)

Description: Multiplies the fields or literal values in the arguments list.

Examples:

alerts | select mult(risk,"10")

parse

Usage: parse(<field>,<regex>)

Description: Extracts a new field from an existing field by leveraging a POSIX regular expression. The new field will have the value of the portion of text that matches the regular expression, if the regular expression contains parentheses the return value will be the portion of text matching the regular expression inside the parentheses.

Examples:

assets | select parse(properties,".sysDescr\.0.:\s.([a-zA-Z0-9\-\.\s]+).")->sysDescr
assets | select parse(name, "\d+")->number

round

Usage: round(<field>,[<decimal_places>])

Description: Rounds a number at the given decimal_places. If decimal_places is not specified the number will be rounded to the closer integer.

Examples:

alerts | reduce risk avg | select round(risk_avg,3)
alerts | reduce risk avg | select round(risk_avg)

seconds_ago

Usage: seconds_ago(<field|number>)

Description: Returns the difference in seconds between the timestamp field and the time of execution of the query. In the where clause the seconds_ago(<number>) syntax gives the best query performance.

Examples:

alerts | select seconds_ago(time)
alerts | where seconds_ago(time) < 20
alerts | where time >= seconds_ago(20)

size

Usage: size(<array_field>)

Description: Returns the size of the array_field.

Examples:

nodes | where size(roles) > 1

split

Usage: split(<field>,<splitter_string>,<index>)

Description: Splits the value of field by splitter_string and returns the item at the index position, where index starts at 1.

Examples:

nodes | select split(mac_address,":",1)

to_epoch

Usage: to_epoch(<timestamp_field>)

Description: Converts a timestamp field into the numeric version suitable for queries.

Examples:

wireless_networks | bucket to_epoch(created_at) 3600000