Quick Links

• base64Decode

• base64Encode

• getCIDRPrefix

• compareCIDRPrefix

• maskFromCIDR

• concat

• decToHex

• format

• formatDate

• hash

• hexToAscii

• hexToDec

• ipv4ToNumber

• isEmpty

• isBlank

• isNumeric

• isPrivateIP

• isPublicIP

• isValidIP

• len

• luhn

• now

• queryEndTime

• queryStartTime

• queryTimeRange

• replace

• substring

• toBytes

• toDuration

• toFloat

• toInt

• toLowerCase

• toUpperCase

• trim

• urlDecode

• urlEncode

base64Decode

Converts a base64 string into to an ASCII/UTF-8 string.

Syntax

| base64Decode(<base64String>) as <alias>

Examples

| base64Decode("SGVsbG8gV29ybGQ=") as K

The above example returns K with a value of Hello World.

base64Encode

Converts an ASCII/UTF-8 string to a base64 string.

Syntax

| base64Encode(<string>) as <alias>

Examples

| base64Encode("Hello World") as K

The above example returns K with a value of SGVsbG8gV29ybGQ=.

getCIDRPrefix

Retrieves the network prefix from an IPv4 address.

Syntax

| getCIDRPrefix(<ipv4String>) as <alias>

Examples

| getCIDRPrefix("10.10.1.35") as K

The above example returns K with a value of 24.

compareCIDRPrefix

Check if the network prefixes of two IPv4 addresses match.

Syntax

| compareCIDRPrefix(<ipv4String>, <ipv4String>) as <alias>

Examples

| compareCIDRPrefix("10.10.1.35", "10.10.1.35", 24) as K

The above example returns K with a value of true.

| compareCIDRPrefix("10.10.1.35", "11.11.2.35", 24) as K

The above example returns K with a value of false.

maskFromCIDR

Returns the subnet mask given a prefix length for IPv4 addresses.

Syntax

| maskFromCIDR(<prefixLength>) as <alias>

where <prefixLength> is 0-32

Examples

| maskFromCIDR(32) as K

The above example returns K with a value of 255.255.255.255.

| maskFromCIDR(31) as K

The above example returns K with a value of 255.255.255.254.

concat

Concatenates multiple strings, numbers into a new string.

Syntax

| concat(<field1>, <field2>, ...) as <alias>

Examples

| concat("Hello", " ", "World", " ", 1) as K

The above example returns K with a value of "Hello World 1".

decToHex

Converts long value to hexadecimal value.

Syntax

| decToHex(<longField>) as <alias>

Examples

| decToHex("70") as K

The above example returns K with a value of "46".

format

Returns a formatted string given a format specifier and arguments.

Syntax

| format(<formatSpecifierString>, <field1>, ...) as <alias>

Examples

| format("%s : %s", "The count is", 1) as K

The above example returns K with a value of "The count is: 1".

formatDate

Returns a date string given a date, format, and timezone (default UTC).

Syntax

| formatDate(<dateMilliseconds>) as <alias>

| formatDate(<dateMilliseconds>, <formatString>) as <alias>

| formatDate(<dateMilliseconds>, <formatString>, <timezoneString>) as <alias>

Examples

| formatDate(1730925217838) as K

The above example returns K with a value of "2024-11-06T20:33:37Z".

| formatDate(1730925217838, "01-02-2006") as K

The above example returns K with a value of "11-06-2024".

| formatDate(1730925217838, "2006-01-02 15:04:05", "America/Los_Angeles") as K

The above example returns K with a value of "2024-11-06 12:33:37".

hash

Hashes data into a string value using the specified hash algorithm. Supported hash algorithms are MD5, SHA1, SHA2, and MurmurHash3.

Syntax

| hash(<field>) as <alias>

| hash(<field>, <hashAlgorithm>) as <alias>

where <hashAlgorithm> is either md5(default), sha1, sha2_256, or murmur3_128

Examples

| hash("hello world") as K

The above example returns K with a value of "5eb63bbbe01eeed093cb22bb8f5acdc3".

| hash("hello world", "sha1") as K

The above example returns K with a value of "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed".

hexToAscii

Converts hexadecimal string to ASCII value.

Syntax

| hexToAscii(<hexString>) as <alias>

Examples

| hexToAscii("48656c6c6f20476f7068657221") as K

The above example returns K with a value of "Hello Gopher!".

hexToDec

Converts hexadecimal string to a long value.

Syntax

| hexToDec(<hexString>) as <alias>

Examples

| hexToAscii("0000000000001337") as K

The above example returns K with a value of 4919.

ipv4ToNumber

Converts an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format.

Syntax

| ipv4ToNumber(<ipv4String>) as <alias>

Examples

| ipv4ToNumber("10.163.3.0") as K

The above example returns K with a value of 178455296.

isEmpty

Checks if a string value is an empty string containing no characters or whitespace.

Syntax

| isEmpty(<string>) as <alias>

Examples

| isEmpty(" a ") as K

The above example returns K with a value of false.

isBlank

Checks if a string value is null, empty, or contains only whitespace characters.

Syntax

| isBlank(<string>) as <alias>

Examples

| isBlank(" ") as K

The above example returns K with a value of true.

isNumeric

Checks if a string value can be parsed as a number.

Syntax

| isNumeric(<string>) as <alias>

Examples

| isNumeric("1.234") as K

The above example returns K with a value of true.

isPrivateIP

Checks if an IPv4 address is private.

Syntax

| isPrivateIP(<ipv4String>) as <alias>

Examples

| isPrivateIP("192.168.0.1") as K

The above example returns K with a value of true.

isPublicIP

Checks if an IPv4 address is public.

Syntax

| isPublicIP(<ipv4String>) as <alias>

Examples

| isPrivateIP("192.168.0.1") as K

The above example returns K with a value of false.

isValidIP

Checks if an IPv4 or IPv6 address is valid.

Syntax

| isValidIP(<ipString>) as <alias>

Examples

| isValidIP("192.168.0.1") as K

The above example returns K with a value of true.

| isValidIP("192.168.400.1") as K

The above example returns K with a value of false.

len

Returns the length of a string.

Syntax

| len(<string>) as <alias>

Examples

| len("1234") as K

The above example returns K with a value of 4.

luhn

Validates credit card numbers in a string value using Luhn’s algorithm. The operator removes all non-numeric values and checks if the resulting string is a valid credit card number.

Syntax

| luhn(<string>) as <alias>

Examples

| luhn("6666-7777-6666-8888") as K

The above example returns K with a value of true.

| luhn("00000000000000031") as K

The above example returns K with a value of false.

now

Returns the current epoch time in milliseconds

Syntax

| now() as <alias>

Examples

| now() as K

| formatDate(now(), "YYYY-MM-dd") as today

queryEndTime

Returns the end time of the search in milliseconds.

Syntax

| queryEndTime() as <alias>

Examples

| queryEndTime() as K

queryStartTime

Returns the start time of the search in milliseconds.

Syntax

| queryStartTime() as <alias>

Examples

| queryStartTime() as K

queryTimeRange

Returns the time range for the query being executed in milliseconds.

Syntax

| queryTimeRange() as <alias>

Examples

| queryTimeRange() as K

replace

Replaces all occurrences of a specified string with another string. The specified string can be a literal or regex.

Syntax

| replace(<sourceString>, <searchString>, <replaceString>) as <alias>

| replace(<sourceString>, <regexString>, <replaceString>) as <alias>

Examples

| replace("hello world", "world", "gopher") as K

The above example returns K with a value of “hello gopher".

| replace("http://kloudfuse.com/products/12345678/logs", "[0-9]{5,}", "") as K

The above example returns K with a value of “http://kloudfuse.com/products//logs".

substring

Extract a part of a given string and start/end offsets. If end offset is not provided, the substring is taken until the end of the source string.

Syntax

| substring(<sourceString>, <startOffsert>) as <alias>

| substring(<sourceString>, <startOffsert>, <endOffset>) as <alias>

Examples

| substring("hello world", 0, 5) as K

The above example returns K with a value of “hello".

toBytes

Parses a string representation of bytes (KB, MB, GB, etc.) into the number of bytes it represents.

Syntax

| toBytes(<storageSize>) as <alias>

Examples

| toBytes("1.5KB") as K

The above example returns K with a value of 1500.

toDuration

Parses a string representation of time (ns, µs, ms, s, m, h) to nanoseconds.

Syntax

| toDuration(<timeString>) as <alias>

Examples

| toFloat("2ms") as K

The above example returns K with a value of 2000000.

toFloat

Parses a string representation of a number or a number to a float.

Syntax

| toFloat(<number>) as <alias>

| toFloat(<numberString>) as <alias>

Examples

| toFloat("1.25") as K

The above example returns K with a value of 1.25.

toInt

Parses a string representation of a number or a number to an int.

Syntax

| toInt(<number>) as <alias>

| toInt(<numberString>) as <alias>

Examples

| toInt("1.5") as K

The above example returns K with a value of 1.

toLowerCase

Converts all letters of a string to lowercase.

Syntax

| toLowerCase(<string>) as <alias>

Examples

| toLowerCase("HELLO WORLD") as K

The above example returns K with a value of “hello world".

toUpperCase

Converts all letters of a string to lowercase.

Syntax

| toUpperCase(<string>) as <alias>

Examples

| toLowerCase("hello world") as K

The above example returns K with a value of “HELLO WORLD".

trim

Removes starting and trailing whitespaces in a string.

Syntax

| trim(<string>) as <alias>

Examples

| trim(" hello world ") as K

The above example returns K with a value of “hello world".

urlDecode

Returns an unescaped url string.

Syntax

| urlDecode(<urlString>) as <alias>

Examples

| urlDecode("http%3A%2F%2Fexample-server123.org%2Fapi%2Fv1%2Fdata.php%3Fauth%3DAbCdEfGhIjKlMnOpQrStUvWxYz123456%26") as K

The above example returns K with a value of “http://example-server123.org/api/v1/data.php?auth=AbCdEfGhIjKlMnOpQrStUvWxYz123456&".

urlEncode

Encodes url into ASCII character set.

Syntax

| urlDecode(<urlString>) as <alias>

Examples

| urlDecode("http://example-server123.org/api/v1/data.php?auth=AbCdEfGhIjKlMnOpQrStUvWxYz123456&") as K.

The above example returns K with a value of “http%3A%2F%2Fexample-server123.org%2Fapi%2Fv1%2Fdata.php%3Fauth%3DAbCdEfGhIjKlMnOpQrStUvWxYz123456%26".