Functions
A list of example query functions.
coalesce
Usage: coalesce(<field1>,<field2>,...)
Description: Takes a list of fields and literals and returns the first non-empty value.
Examples:
nodes | select coalesce(label,name,"fallback")concat
Usage: concat(<field1>,<field2>,...)
Description: Returns the concatenations of a list of fields and literals interpreted as strings.
Examples:
nodes | select concat(label,"/",name)days_ago
Usage: days_ago(<field>)
Description: Returns the number of days between the timestamp field and the time that the query is executed.
Examples:
alerts | select days_ago(time)alerts | where days_ago(time) < 20alerts | where time >= days_ago(20)dist
Usage: dist(<field1>,<field2>)
Description: Returns the difference between field1 and field2. The fields can also be literals.
Examples:
nodes | select dist(sent.bytes,received.bytes)div
Usage: div(<field1>,<field2>)
Description: Returns the result of the arithmetic division of field1 by field2. The fields can also be literals.
Examples:
nodes | select div(last_activity_time,"1000")gauge
Usage: gauge <field> [min]
[max]
Description: Outputs a numeric field drawn as a gauge from the first dataset row.
Examples:
alerts | where time > days_ago(7) | reduce risk avg | gauge round(risk_avg)hours_ago
Usage: hours_ago(<field>)
Description: Returns the number of seconds between the timestamp field and the time the query was executed.
Examples:
alerts | select hours_ago(time)alerts | where hours_ago(time) < 20alerts | where time >= hours_ago(20)ipv4
Usage: ipv4(<field>)
Description: Returns a non-empty value if the field argument is an IPv4.
Examples:
nodes | select ipv4(ip)nodes | where ipv4(ip) != ""assets | expand ip | select ipv4(expanded_ip)assets.ip is an array, you need to expand it with the
expand operator to use the ipv4 function.ipv6
Usage: ipv6(<field>)
Description: Returns a non-empty value if the field argument is an IPv6.
Examples:
nodes | select ipv6(ip)nodes | where ipv6(ip) != ""assets | expand ip | select ipv6(expanded_ip)assets.ip is an array, you need to expand it with the
expand operator to use the ipv6 function.is_empty
Usage: is_empty(<field>)
Description: Returns true if the field is an empty string or array; otherwise, returns false.
Examples:
nodes | where !is_empty(label)nodes | select protocols is_empty(protocols)is_recent
Usage: is_recent(<field>)
Description: Returns true if field represents a time in the last 30 minutes; otherwise, returns false.
Examples:
alerts | where is_recent(time)minutes_ago
Usage: minutes_ago(<field>)
Description: Returns the number of minutes between the timestamp field and the time the query was executed.
Examples:
alerts | select minutes_ago(time)alerts | where minutes_ago(time) < 20alerts | where time >= minutes_ago(20)mult
Usage: mult(<field1>,<field2>,...)
Description: Multiplies the fields or literal values in the arguments list.
Examples:
alerts | select mult(risk,"10")round
Usage: round(<field>,[<decimal_places>])
Description: Round a number at the given decimal_places. If decimal_places is not specified, the number is rounded to the closest integer.
Examples:
alerts | reduce risk avg | select round(risk_avg,3)alerts | reduce risk avg | select round(risk_avg)seconds_ago
Usage: seconds_ago(<field>)
Description: Returns the number of seconds between the timestamp field and the time the query was executed.
Examples:
alerts | select seconds_ago(time)alerts | where seconds_ago(time) < 20alerts | where time >= seconds_ago(20)split
Usage: split(<field>,<splitter_string>,<index>)
Description: Splits the value of field by splitter_string and returns the item at the index position, where index starts at 1.
Examples:
nodes | select split(mac_address,":",1)to_epoch
Usage: to_epoch(<timestamp_field>)
Description: Converts a timestamp field into the numeric version suitable for queries.
Examples:
wireless_networks | bucket to_epoch(created_at) 3600000