Predefined Functions

Conversion functions
Function Name	Arguments	Returns
ToTimestamp	(expression, formatString) or (expression, formatString, timezone) or (expression, formatString, timezone, defaultValue)	The expression, which should evaluate to a string, is interpreted as a time according to the supplied formatString. If the conversion fails, null is returned, unless a default string is provided, which is interpreted as a time and returned. Example: `ToTimestamp( logFileStringTimestampField, "dd, MM, yyyy HH:mm:ss", "America/ Los_Angeles", "01, 01, 1970 00:00:00")` Note: If timezone is omitted or is empty, the system default timezone is used. If formatString does not contain a year, then when the function is being evaluated in the context of processing an event, the year from the event time (sys_eventTime) is used. If this results in a timestamp that is later than the event time, the prior year is used.
ToIP	(expression) or (expression, defaultValue)	Convert the expression to an IP address (Java InetAddress). If the conversion fails, null is returned, unless a default string is provided, which is interpreted as an IP address and returned. Example: `ToIP(ipAddressField, "10.0.0.1")`
ToTimestampString	(expression, formatString) or (expression, formatString, timezone) or (expression, formatString, timezone, defaultValue)	Same as ToTimestamp, except it gets converted to string to get a printable timestamp. Example: `ToTimestampString(timestamp , "dd, MM, yyyy HH:mm:ss", "America/Los_Angeles", "01, 01, 1970 00:00:00")` Note: If timezone is omitted or is empty, the system default timezone is used.
ToInt	(expression) or (expression, defaultValue)	The obvious conversion to integer with default value taken if not convertible. Example: `ToInt("1348") or ToInt(numberField, 0)`
ToLong	(expression) or (expression, defaultValue)	The obvious conversion to Long with default value taken if not convertible. Example: `ToLong("1348") or ToLong(numberField, 0)`
ToString	(expression) or (expression, defaultValue)	The obvious conversion to String with default value taken if not convertible. Example: `ToString(124.5) or ToString(numberField, "null")`
ToFloat	(expression) or (expression, defaultValue)	The obvious conversion to Float with default value taken if not convertible. Example: `ToFloat("1348.2") or ToLong(numberField, 0.0)` Note: LogLogic LMI uses double precision (that is 64 bits) when storing floating point numbers.
ToBool	(expression) or (expression, defaultValue)	The obvious conversion to Boolean with default value taken if not convertible. Example: `ToBool("FALSE") or ToBool(col1, FALSE)`
ExtractJson	(expression, extraction path) or (expression, extraction path, default value)	The expression, which is a JSON string is parsed. A field is extracted from the expression using the extraction path. If either the expression or the path are invalid, an optional default value is returned. Example: `ExtractJson("{"cat": {"color":" blue"}}", "cat.color", "burlesque")` returns a string "blue" which is a JSON value of color, which is a JSON value of cat.
ExtractKvp	(expression, extraction path) or (expression, extraction path, nested KVP delimiters /default "{}"/) or (expression, extraction path, nested KVP, deliiter / default ","/) or (expression, extraction path, nested KVP, delimiter, separator /default "="/) or (expression, extraction path, nested KVP, delimiter, separator, escape character / default "\\"/) or (expression, extraction path, nested KVP, delimiter, separator, escape character, default value)	The expression, which is a nested KVP string is parsed. A field is extracted from the expression using the extraction path. If either the expression or the path are invalid, an optional default value is returned. Example: `ExtractKvp(" alert={ agent={ hostname=esbqa01, dns=none}}" , "alert.agent.dns")` returns a string "none". or `ExtractKvp("(abc^def\|asd^aaa)" , "asd", "()", "\|", "^")` returns "aaa".

String functions . The smart list functions are usually used in filter expressions and data model.
Function Name	Arguments	Returns
lookup	(String 1, String 2, [String 3])	The value associated with String2 in the Enrichment list named String1. Examples: lookup("list1", "key1") lookup ("list1", "key1", "default_return_value" $list1("key1") $list1("key1", "default_return_value")
length	(expression)	Returns the length of the string value of the evaluated expression. For example, if an expression is an integer, it is converted to a string first. Example: `length("abc")` is 3, `length(3145)` is 4 (after converting the integer 3145 to the string "3145")
TransformString	(stringToTransform, regularExpression, template) or (stringToTransform, regularExpression, template, defaultValue)	It tries to match the stringToTransform with the regular expression, and then returns the template with references to groups in the regular expression substituted with the actual values. To refer to groups, use $1, $2, so on, to refer to numbered groups, and $<name> to refer to named groups. If the string does not match, or is there any other error, the default value is returned (or NULL if not specified). Example: `TransformString("myName=loglogic" , "myName=(\\S*)", "the name is $1")` returns: "the name is loglogic".
lower	(String)	(String) Lower case of string 1.
upper	(String)	Upper case of string 1.
trim	(String)	Trimmed string 1 (without leading and trailing spaces).
substitute	(String 1, String 2, String 3)	Substitute string 2 by string 3 in string 1.
left	(String, Int) <int>	left characters of string 1.
right	(String, Int) <int>	right characters of string 1.
mid substr substring	(String, Int 1, Int 2)	Characters from string1 starting at offset <int1> for a length of <int2>.
find position	(String 1, String 2)	Index of the first occurrence of string2 within string1, -1 if no occurrence is found.
concatenate	(String 1, String 2, …)	Concatenation of all strings passed as arguments.

Comparison functions
Function Name	Arguments	Returns
NaturalEqualTo	(arg1, arg2)	True if arg1 equals arg2 False if arg1 is not equal to arg2 False if only one of the arguments is NULL True if both arguments are NULL
NaturalNotEqualTo	(arg1, arg2)	True if arg1 is not equal to arg2 False if arg1 equals arg2 True if only one of the arguments is NULL False if both arguments are NULL

Math functions

Function Name

Arguments

Returns

Power

base, exponent

Returns the value of base raised to the power of exponent. Any null argument returns null.

Round

(numeric) or (numeric, [integer])

Returns a FLOAT value of the numeric argument rounded to the number of decimal places specified by integer. The argument integer is optional, and the default value is zero if not provided.

The numeric value is rounded mid-way and away from zero. A null argument returns null. If the second argument is positive, it represents the number of decimal places to the right of the decimal point, whereas if it is negative, it represents the number of places to the left of the decimal point which become a zero.

For example:

Function	Result
ROUND( 12.345 )	12.0
ROUND( 12.345, 2 )	12.35
ROUND( 123.45, -1 )	120.0
ROUND( 34567, -2 )	34600
ROUND( -3456.5 )	-3457.0

Sqrt

numeric

Returns the square root of the argument or null if the argument is null.

Conditional functions
Function Name	Arguments	Returns
IIF	Condition, then, else	Returns the value of the 'then' clause if the condition is true, otherwise the value of the 'else' clause . Example: `IIF(true, “a”, “b”)` returns “a” if true and “b” if false

Time functions
Function Name	Arguments	Returns
Seconds	Timestamp	Truncates the specified timestamp parameter to the second.
Minutes	Timestamp	Truncates the specified timestamp parameter to the minute.
Hours	Timestamp	Truncates the specified timestamp parameter to the hour.
Days	Timestamp	Truncates the specified timestamp parameter to the day.
Weeks	Timestamp	Truncates the specified timestamp parameter to the week
Months	Timestamp	Truncates the specified timestamp parameter to the month.
Years	Timestamp	Truncates the specified timestamp parameter to the year.

Contents

Index

Search Results

Predefined Functions