Predefined ECL Functions

Functions are used to compute a value as output from parameters as input. Some functions are predefined in the language. It is also possible to call a static Java function provided by the user. The predefined functions that are available in ECL are listed in the following tables.
String functions
Function Name Arguments Returns
  • len
  • char_length
  • character_length
  • length
(String) Length of string 1.
lower (String) Lower case of string 1.
upper (String) Upper case of string 1.
trim (String) Trimmed string 1 (without leading and trailing spaces).
substitute (String 1, String 2, String 3) Substitute string 2 by string 3 in string 1.
left (String, Int) <int> left characters of string 1.
right (String, Int) <int> right characters of string 1 .
  • mid
  • substr
  • substring
(String, Int 1, Int 2) Characters from string1 starting at offset <int1> for a length of <int2>.
  • find
  • position
(String 1, String 2) Index of the first occurrence of string2 within string1, -1 if no occurrence is found.
concatenate (String 1, String 2, …) Concatenation of all strings passed as arguments.
TransformString (stringToTransform, regularExpression, template) or (stringToTransform, regularExpression, template, defaultValue) It tries to match the stringToTransform with the regular expression, and then returns the template with references to groups in the regular expression substituted with the actual values. To refer to groups, use $1, $2, etc to refer to numbered groups, and $<name> to refer to named groups. If the string does not match, or is there any other error, the default value is returned (or NULL if not specified).
List functions
Function Name Arguments Returns
size List Size of the list
Conditional functions
Function Name Arguments Returns
IIF Condition, then, else Returns the 'Then' value if condition is true, otherwise it should return the 'Else' value.

For example: IIF(true, “a”, “b”) returns “a” IIF(false, ”a”,”b”) returns “b”

Smart List functions
Function Name Arguments Returns
lookup (String 1, String 2) The value associated with String2 in the smart list named String1.
isInList (String 1, String 2) True if the value String2 is defined in smart list named String1.
Conversion functions
Function Name Arguments Returns
ToTimestamp (expression, formatString) or (expression, formatString, timezone) or (expression, formatString, timezone, defaultValue) The expression, which should evaluate to a string, is interpreted as a time according to the supplied formatString. If the conversion fails, null is returned, unless a default string is provided, which is interpreted as a time and returned.
Note: If timezone is omitted or is empty, the system default timezone is used.
ToIP (expression_ or (expression, defaultValue) Convert the expression to an IP address (Java InetAddress). If the conversion fails, null is returned, unless a default string is provided, which is interpreted as an IP address and returned.
ToTimestampString (expression, formatString) or (expression, formatString, timezone) or (expression, formatString, timezone, defaultValue) Same as ToTimestamp, except the conversion is in the opposite direction to get a printable timestamp.
Note: If timezone is omitted or is empty, the system default time zone is used.
ToInt (expression) or (expression, defaultValue) The obvious conversion to integer with default value taken if not convertible.
ToLong (expression) or (expression, defaultValue) The obvious conversion to Long with default value taken if not convertible.
ToString (expression) or (expression, defaultValue) The obvious conversion to String with default value taken if not convertible.
Note: Using the ToString() function in a correlation Blok might result in inconsistent time format. Therefore, use the ToTimestamp() function instead.
ToFloat (expression) or (expression, defaultValue) The obvious conversion to Float with default value taken if not convertible.
Note: LogLogic uses double precision (that is 64 bits) when storing floating point numbers.
ToBool (expression) or (expression, defaultValue) The obvious conversion to Boolean with default value taken if not convertible.
ToDouble (expression) or (expression, defaultValue) The obvious conversion to Double with default value taken if not convertible.
ExtractJson (expression, extraction path) or (expression, extraction path, default value) The expression, which is a JSON string is parsed. A field is extracted from the expression using the extraction path. If either the extpression or the path are invalid, an optional default value is returned.
ExtractKvp (expression, extraction path) or (expression, extraction path, nested KVP delimiters /default "{}"/) or (expression, extraction path, nested KVP, delimiter / default ","/) or (expression, extraction path, nested KVP, delimiter, separator /default "="/) or (expression, extraction path, nested KVP, delimiter, separator, escape character / default "\\"/) or (expression, extraction path, nested KVP, delimiter, separator, escape character, default value) The expression, which is a nested KVP string is parsed. A field is extracted from the expression using the extraction path. If either the expression or the path are invalid, an optional default value is returned.
Miscellaneous functions
Function Name Arguments Returns
matchcidr

You can use the function within SQL, EQL, and ECL queries, and in turn, in other functionality that make use of these queries.

(IP_string_format, IP_address_to_Match, key)

In the IP_string_format parameter, you can specify a CIDR address, single IPv4 or IPv6 address, a comma-separated list of CIDR IP addresses or a range, a hyphen-separated range of IP addresses, or an enrichment list.

In the IP_address_to_Match field, specify the column name from the logs, which are to be matched against the IP_string_format parameter. The data type of the column must be INET_ADDR.

The key parameter specifies a key name in the enrichment list. The key parameter is mandatory when using this function in correlation bloks. You must provide a either key name or an empty string ("").

Returns those IP addresses from the IP_address_to_Match parameter, which belong to the IP addresses specified in the IP_string_format list.

Having Clause

The Having clause adds additional constraints on the events that have passed the filter and are grouped by the rule. 

At (Least | Most) <integer> 
Distinct <expression> 
As <identifier> 
Limit <integer> 
Count Of <expression> Being <expression> (Greater | Less) Than <integer> 
Percentage Of <expression> Being <expression> (Greater | Less) Than <integer> %<condition>
Note: The Having clause expression must contain at least one aggregation function.

The supported parameters are:

Parameter Description
Count Of Counts the number of time two expressions are equals and check that this value is greater or less than a boundary.
Percentage Of Counts the number of time two expressions are equals and make a ratio of this count versus the number of events in the group, then check whether the value is less or more than a value expressed as percent.

The Having clause can also be an expression using aggregation functions and resolving to a Boolean.