Predefined Functions

A list of functions that are available in the EQL.

The conversion functions are typically used when adding a new data model, or when you need to define new columns, where the expressions for new columns can use conversion functions to convert between data types and combine them using various operators. For instructions on how to add a new data model, see Adding a Data Model in Graphical Mode.

Conversion functions
Function Name Arguments Returns
ToTimestamp (expression, formatString) or (expression, formatString, timezone) or (expression, formatString, timezone, defaultValue) The expression, which should evaluate to a string, is interpreted as a time according to the supplied formatString. If the conversion fails, null is returned, unless a default string is provided, which is interpreted as a time and returned.
Example: ToTimestamp( logFileStringTimestampField, "dd, MM, yyyy HH:mm:ss", "America/ Los_Angeles", "01, 01, 1970 00:00:00")
Note: If timezone is omitted or is empty, the system default timezone is used.

If formatString does not contain a year, then when the function is being evaluated in the context of processing an event, the year from the event time (sys_eventTime) is used. If this results in a timestamp that is later than the event time, the prior year is used.

ToIP (expression) or (expression, defaultValue) Convert the expression to an IP address (Java InetAddress). If the conversion fails, null is returned, unless a default string is provided, which is interpreted as an IP address and returned.

Example: ToIP(ipAddressField, "10.0.0.1")

ToTimestampString (expression, formatString) or (expression, formatString, timezone) or (expression, formatString, timezone, defaultValue) Same as ToTimestamp, except it gets converted to string to get a printable timestamp.

Example: ToTimestampString(timestamp , "dd, MM, yyyy HH:mm:ss", "America/Los_Angeles", "01, 01, 1970 00:00:00")

Note: If timezone is omitted or is empty, the system default timezone is used.

ToInt (expression) or (expression, defaultValue) The obvious conversion to integer with default value taken if not convertible.

Example: ToInt("1348") or ToInt(numberField, 0)

ToLong (expression) or (expression, defaultValue) The obvious conversion to Long with default value taken if not convertible.

Example: ToLong("1348") or ToLong(numberField, 0)

ToString (expression) or (expression, defaultValue) The obvious conversion to String with default value taken if not convertible.

Example: ToString(124.5) or ToString(numberField, "null")

ToFloat (expression) or (expression, defaultValue) The obvious conversion to Float with default value taken if not convertible.

Example: ToFloat("1348.2") or ToLong(numberField, 0.0)

Note: LogLogic LMI uses double precision (that is 64 bits) when storing floating point numbers.

ToBool (expression) or (expression, defaultValue) The obvious conversion to Boolean with default value taken if not convertible.

Example: ToBool("FALSE") or ToBool(col1, FALSE)

ExtractJson (expression, extraction path) or (expression, extraction path, default value) The expression, which is a JSON string is parsed. A field is extracted from the expression using the extraction path. If either the expression or the path are invalid, an optional default value is returned.

Example: ExtractJson("{"cat": {"color":" blue"}}", "cat.color", "burlesque") would return a string "blue" which is a JSON value of color, which is a JSON value of cat.

ExtractKvp (expression, extraction path) or (expression, extraction path, nested KVP delimiters /default "{}"/) or (expression, extraction path, nested KVP, deliiter / default ","/) or (expression, extraction path, nested KVP, delimiter, separator /default "="/) or (expression, extraction path, nested KVP, delimiter, separator, escape character / default "\\"/) or (expression, extraction path, nested KVP, delimiter, separator, escape character, default value) The expression, which is a nested KVP string is parsed. A field is extracted from the expression using the extraction path. If either the expression or the path are invalid, an optional default value is returned.

Example: ExtractKvp(" alert={ agent={ hostname=esbqa01, dns=none}}" , "alert.agent.dns") would return a string "none".

or

ExtractKvp("(abc^def|asd^aaa)" , "asd", "()", "|", "^") would return "aaa".

String functions . The smart list functions are usually used in filter expressions and data model.
Function Name Arguments Returns
lookup (String 1, String 2) The value associated with String2 in the smart list named String1.

Example: lookup("list1", "key1") or $list1("key1")

length (expression) Returns the length of the string value of the evaluated expression. For example, if an expression is an integer, it is converted to a string first.

Example: length("abc") is 3, length(3145) is 4 (after converting the integer 3145 to the string "3145")

Transform​String (stringToTransform, regularExpression, template) or (stringToTransform, regularExpression, template, defaultValue) It tries to match the stringToTransform with the regular expression, and then returns the template with references to groups in the regular expression substituted with the actual values. To refer to groups, use $1, $2, so on, to refer to numbered groups, and $<name> to refer to named groups. If the string doesn't match, or is there any other error, the default value is returned (or NULL if not specified).

Example: TransformString("myName=loglogic" , "myName=(\\S*)", "the name is $1")

returns: "the name is loglogic".

lower (String) (String) Lower case of string 1.
upper (String) Upper case of string 1.
trim (String) Trimmed string 1 (without leading and trailing spaces).
substitute (String 1, String 2, String 3) Substitute string 2 by string 3 in string 1.
left (String, Int) <int> left characters of string 1.
right (String, Int) <int> right characters of string 1.
  • mid
  • substr
  • substring
(String, Int 1, Int 2) Characters from string1 starting at offset <int1> for a length of <int2>.
  • find
  • position
(String 1, String 2) Index of the first occurrence of string2 within string1, -1 if no occurrence is found.
concatenate (String 1, String 2, …) Concatenation of all strings passed as arguments.
Conditional functions
Function Name Arguments Returns
IIF Condition, then, else Returns the 'Then' value if condition is true, otherwise it should return the 'Else' value.

Example: IIF(true, “a”, “b”) returns “a” IIF(false, ”a”,”b”) returns “b”

Time functions
Function Name Arguments Returns
Seconds Timestamp Truncated the specified timestamp parameter to the second.
Minutes Timestamp Truncated the specified timestamp parameter to the minute.
Hours Timestamp Truncated the specified timestamp parameter to the hour.
Days Timestamp Truncated the specified timestamp parameter to the day.
Weeks Timestamp Truncated the specified timestamp parameter to the week
Months Timestamp Truncated the specified timestamp parameter to the month.
Years Timestamp Truncated the specified timestamp parameter to the year.