Skip to main content
Version: 3.0

NQL CheatSheet

Commands

Time & Streams

Command nameSyntaxDescriptionExample
source (src)src stream={string} [startTime={timespan} endTime={timespan}]Generates a collection of objects from the given source.src stream="alerts"
dstdst {collectorName}Saves the result to a new collector with the given name.src stream="alerts" | limit 1000 | dst "collector1"
collector (coll)coll {id} [bunchSize={liczba}]Feeds the NQL with objects from a collector with the given ID.src stream="alerts" | set fullName=concat("alertName", " ", "alertSeverity") | limit 1000 | dst "collector1"
recordsrecords {tuple0} [, ... {tupleN}]Generates a collection of objects to be passed to the output.records {"fName":"Jake","dep":"IT"},{"fName":"Jack","dep":"ADM"},{"fName":"Harry","dep":"ADM"},{"fName":"Jacob","dep":"IT"}

Common commands

Command nameSyntaxDescriptionExample
sortsort {field1} [asc/desc],… {fieldN} [asc/desc]] [limit={number}][outLimit={number}]Sorts the collection of objects based on the value of a field. The sorting is performed for a maximum number of records specified in the limit parameter.src stream="netflow" | sort timestamp desc
projectproject +{fieldName} as alias / -{fieldName},...Selects the fields of an object that will be passed to the output and/or changes the field names.src stream="netflow" | project +clientIp, +serverIp
limitlimit [{offset},] {limit}Truncates the output collection to a specified number of objects. Returns the first {limit} starting from position {offset}.src stream="netflow" | limit 1
tailtail {limit}Returns the last n objects from the input collection.src stream="netflow" | sort timestamp desc | tail 2
set/addset {field}={expression}[, … {fieldN}={expression}]
/ add fieldName={expression}[, … fieldNameN={expression}]
Adds or creates a new field in all records. The set command updates the value of an existing field if a field with the given name already exists, while the add command always adds a new field.src stream="netflow" | set streamNameWithClientIp = concat(_stream,"-",clientIp) | project +_stream, +clientIp, +streamNameWithClientIp
top/raretop {field} [by {field_name}, [{field_name1},…]][limit={number}] [others=true/false][maxBuckets={number}]
/ rare {field} [by {field_name, [field_name1, ….]}][limit={number}] [others=true/false][maxBuckets={number}]
Returns the {limit} most frequent top/rare values of the expression.src stream="netflow" | top clientIp limit=2
forkfork ({subPipe1}), ({subPipe2}) [, ... ({subPipeN})]Takes objects from the input collection and sends them to a parallel pipeline.src stream="netflow" | fork (aggr clientIpCount = count(clientIpCount)), (aggr maxTimeStamp = max(timestamp))
subpipesubpipe ({subPipe})Defines a sub-pipeline that will be executed on each object of the input collection.src stream="netflow" | subpipe (src stream="netflow" | aggr clientIpCount = count(clientIpCount) | dst "collector2")
wherewhere {logical_filter}An FA command that filters input objects with the specified logical filter.src stream="netflow" | where clientIp="172.16.10.11" or serverIp="172.16.10.11"
sleepsleep {delay}The command is used to delay the execution of the next command in the pipeline.src stream="netflow" | sort clientIp desc | sleep 10 | sort clientIp
unwindunwind {field} [includeEmpty=true/false]The command unwinds the collection values for the {field} field. A new object is created for each value. The record remains unchanged if the {field} is not a collection.src stream="netflow" | unwind exporterIps
fieldsfields [maxFields={number}][maxTuples={number} ] [topCount={number} ][maxDistinctValuesPerField={number} ]The command is used to display information about fields. It counts fields, unique values and collects the most common values.src stream="netflow" | fields maxFields=10

Agregations

Command nameSyntaxDescriptionExample
aggraggr {field}={aggregation_function}(...) [,{fieldN}={aggregation_functionN},...]by {grouping_field}[, {grouping_field}, ...]] [unwind=true/false][maxBuckets={number}]Aggregates data using an aggregation function, producing a single result for a collection of objects or its subset. Multiple aggregation functions can be used with the aggr command on several fields, but regular functions cannot be combined.src stream="netflow" | aggr maxTimeStamp = max(timestamp) by clientIp unwind=true
rangeAggrrangeAggr {field}={aggregation_function}({field}) [on {field}]by {field}[, {field}]] ranges="1-5,5-10" [bucketAlias={string}][unwind=true/false]Aggregates data for specified subsets defined by a range of values.src stream="netflow" | rangeAggr valuesCount=count(clientBytes), maxBalance=max(clientBytes) on clientBytes by clientIp ranges="0-5000,8000-10000"
splitAggrsplitAggr {field}={aggregation_function}({streamField}) [, ... {fieldN}={aggregation_functionN}({streamFieldN})] ({subAggr1}), ({subAggr2}), [, ... ({subAggrN})][unwind=true/false]Performs multiple aggregations, where each subsequent one is performed in the context of the previous one.src stream="netflow" | splitAggr sumBytes0=sum(clientBytes) (aggr by clientIp unwind=true),(aggr by serverIp unwind=true))
timeAggrtimeAggr {field}={aggregation_function}({field}) [on {field}]by {field}[, {field}]] [interval={timespan}][dir={dir}] [maxBuckets={number}][bucketAlias={string}] [unwind=true/false]An operator that aggregates data using an aggregate(accumulator) function.
Returns results for specific subsets of data defined as time periods.
It is primarily used to create graphs where one of the axes corresponds to time.
src stream="netflow" | timeAggr avgClientBytes=avg(clientBytes), cntClientBytes=count(clientBytes) on timestamp interval="1d" | set dateTime=tsToStr(_bucket) | sort _bucket

Functions

Dates and times functions

Function nameDescriptionExample
now() : longCreates a timestamp in GMT+00 time zone from the time of the callrecords {"n":"0"} | set funResult = now() | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
timestamp(int yy, int mm, int dd, int hh24, int mi, int sec [, offset={int}]) : longCalculates the timestamp for the given values of year, month, day, hour, minute and second.records {"n":"0"} | set funResult = timestamp(1995,10,13,12,15,20) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addMonths(long ts, int n) : longAdds n months to the ts timestamp.records {"n":"0"} | set funResult = addMonths(now(),1) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addYears(long ts, int n) : longAdds n years to the ts timestamp.records {"n":"0"} | set funResult = addYears(now(),1) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addDays(long ts, int n) : longAdds n days to the ts timestamp.records {"n":"0"} | set funResult = addDays(now(),1) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addHours(long ts, int n) : longAdds n hours to the ts timestamp.records {"n":"0"} | set funResult = addHours(now(),1) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addMinutes(long arg1, int arg2) : longAdds n minutes to the ts timestamp.records {"n":"0"} | set funResult = addMinutes(now(),1) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addSeconds(long arg1, int arg2) : longAdds n seconds to the ts timestamp.records {"n":"0"} | set funResult = addSeconds(now(),1) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
addMillis(long arg1, int arg2) : longAdds n milliseconds to the ts timestamp.records {"n":"0"} | set funResult = addMillis(now(),1000) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
getYear(long arg1) : intReturns the year from the given ts timestamp.records {"n":"0"} | set funResult = getYear(now()) | project +funResult | limit 1
getMonth(long arg1) : intReturns the month from the given ts timestamp.records {"n":"0"} | set funResult = getMonth(now()) | project +funResult | limit 1
getDay(long arg1) : intReturns the number of the day of the month from the given ts timestamp.records {"n":"0"} | set funResult = getDay(now()) | project +funResult | limit 1
getDayOfWeek(long timestamp) : intReturns the number of the day of the week from the given ts timestamp.records {"n":"0"} | set funResult = getDayOfWeek(now()) | project +funResult | limit 1
getHour(long timestamp) : intReturns the hour from the given ts timestamp.records {"n":"0"} | set funResult = getHour(now()) | project +funResult | limit 1
getMinute(long timestamp) : intReturns the minute from the given ts timestamp.records {"n":"0"} | set funResult = getMinute(now()) | project +funResult | limit 1
getSecond(long timestamp) : intReturns the second from the given ts timestamp.records {"n":"0"} | set funResult = getSecond(now()) | project +funResult | limit 1
tsToStr(long arg [, format={string}][, zone={string}]) : stringReturns the ts timestamp as a formatted date.records {"n":"0"} | set funResult = now() | set funResultStr=tsToStr(funResult) | project +funResultStr | limit 1
tsParse(string arg [, format={string}][, zone={string}]) : longFor the given arg (formatted date and time), returns the timestamp value.records {"n":"0"} | set funResult = tsParse("2021-06-09 15:12:10", format="yyyy-MM-dd HH:mm:ss" zone="Poland") | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1
tsOffset(long ts, int n) : longReturns the ts timestamp offset by n.records {"n":"0"} | set funResult = tsOffset(now(),10) | set funResultStr=tsToStr(funResult) | project +funResult, +funResultStr | limit 1

Mathematical functions

Function nameDescriptionExample
sum(number n1, number n2 [,nN][, type={string}]: numberReturns the result of the sum: n1, n2 + ... + nNrecords {"n":"0"} | set funResult = sum(1,2,3,4) | project +funResult | limit 1
add(number n1, number n2 [, type={string}]): numberReturns the result of the sum: n1 + n2records {"n":"0"} | set funResult = add(1,2) | project +funResult | limit 1
sub(number n1, number n2 [, type={string}]): numberReturns the result of the subtraction: n1 - n2records {"n":"0"} | set funResult = sub(1,2) | project +funResult | limit 1
mul(number n1, number n2 [, type={string}]): numberReturns the result of the multiplication: n1 * n2records {"n":"0"} | set funResult = mul(1,2) | project +funResult | limit 1
div(number n1, number n2) : doubleReturns the result of the division: n1 / n2records {"n":"0"} | set funResult = div(1,2) | project +funResult | limit 1
floorDiv(number n1, number n2): longReturns the result of the division: n1 / n2 without remainders.records {"n":"0"} | set funResult = floorDiv(1,2) | project +funResult | limit 1
mod(number n1, number n2): longReturns the result of the remainder of the division: n1 / n2.records {"n":"0"} | set funResult = mod(1,2) | project +funResult | limit 1
abs(number n) : numberReturns the base value of n.records {"n":"0"} | set funResult = abs(-2) | project +funResult | limit 1
pow(number n1, n2): doubleReturns the result of the multiplication: n1 * n2.records {"n":"0"} | set funResult = pow(2,2) | project +funResult | limit 1
sqrt(number n) : doubleReturns the square root of the number n.records {"n":"0"} | set funResult = sqrt(4) | project +funResult | limit 1
sqr(number n) : doubleReturns the square of the number n.records {"n":"0"} | set funResult = sqr(4) | project +funResult | limit 1
floor(number n) : longReturns the number n rounded down to the nearest integer.records {"n":"0"} | set funResult = floor(10.23) | project +funResult | limit 1
ceil(number n) : longReturns the number n rounded up to the nearest integer.records {"n":"0"} | set funResult = ceil(10.23) | project +funResult | limit 1
sign(number n) : intReturns -1 for n<0, 0 for n=0 and 1 for n>0.records {"n":"0"} | set funResult = sign(-123) | project +funResult | limit 1
rand() : doubleReturns a random number in the range (0,1).records {"n":"0"} | set funResult = rand() | project +funResult | limit 1
randInt(int from, int to) : intReturns a random integer in the given range (from, to).records {"n":"0"} | set funResult = randInt(10,100) | project +funResult | limit 1
bitAnd(number n1, number n2 [, number nN]): number :Returns the result of the AND bit operation on the argumentsrecords {"n":"0"} | set funResult = bitAnd(255,3) | project +funResult | limit 1
bitOr(number n1, number n2 [, number nN]): number :Returns the result of the OR bit operation on the argumentsrecords {"n":"0"} | set funResult = bitOr(1,2) | project +funResult | limit 1

Conditional functions

Function nameDescriptionExample
if(string condition : object result1, object result2)If condition is true, it returns result1, otherwise returns result2.records {"fName":"Jake","dep":"IT"},{"fName":"Jack","dep":"ADM"},{"fName":"Harry","dep":"ADM"} | set funResult = if( fName="Jake":"This is Jake","This is not Jake") | project +fName, +funResult | limit 10
switch(field_name, "1": object result1, "2": object result2, object default_result)If the value of the field_name is 1, the function returns the result1. If 2, it returns the result2. If none of the given values, the function returns the defaultResult.records {"fName":"Jake","dep":"IT"},{"fName":"Jack","dep":"ADM"},{"fName":"Harry","dep":"ADM"} | set funResult = switch( fName, "Jake":"This is Jake", "Harry":"This is Harry","This is not Jake") | project +fName, +funResult | limit 10

String fuctions

Function nameDescriptionExample
concat(string arg1, string arg2 [,string argN][,delimiter={string} distinct=true/false limit={int}]) : stringReturns the concatenated strings arg1, arg2, ..., argNrecords {"n":"0"} | set funResult = concat("This","-","is","-","Jake") | project +funResult | limit 1
substring(string arg, int n1 [, endId=n2]) : stringCuts the sequence of characters on positions n1 to n2.records {"n":"0"} | set funResult = substring("This is Jake", 5, endId=7) | project +funResult | limit 1
left(string arg, int n) : stringReturns the initial sequence of characters from arg of length n.records {"n":"0"} | set funResult = left("This is Jake", 5) | project +funResult | limit 1
right(string arg, int n) : stringReturns the final sequence of characters from arg of length n.records {"n":"0"} | set funResult = right("This is Jake", 5) | project +funResult | limit 1
lower(string arg) : stringReturns the given arg text in which all uppercase characters are converted to lowercase.records {"n":"0"} | set funResult = lower("This is Jake") | project +funResult | limit 1
upper(string arg) : stringReturns the given arg text in which all lowercase characters are converted to uppercase.records {"n":"0"} | set funResult = upper("This is Jake") | project +funResult | limit 1
replace(string arg, string str1, string str2 [, strat=first/last/all]) : stringReturns the given arg text in which str1 strings are converted to str2records {"n":"0"} | set funResult = replace("This is Jake", "Jake", "Harry") | project +funResult | limit 1
trim(string arg) : stringReturns arg text without "white" characters at the beginning and the end.records {"n":"0"} | set funResult = trim(" This is Jake ") | project +funResult | limit 1
startsWith(string arg1, string arg2) : booleanReturns true if the given arg1 text starts with the string arg2.records {"n":"0"} | set funResult = startsWith("This is Jake" , "This") | project +funResult | limit 1
endsWith(string arg1, string arg2) : booleanReturns true if the given arg1 text ends with the string arg2.records {"n":"0"} | set funResult = endsWith("This is Jake" , "Jake") | project +funResult | limit 1
contains(string arg1, string arg2 [, ignorecase=true/false]) : booleanReturns true if arg1 contains the string arg2.records {"n":"0"} | set funResult = contains("This is Jake" , "is") | project +funResult | limit 1
indexOf(string arg1, char arg2 [, start_index={int}][, ignore_case=true/false]) : intReturns the position on which the arg2 character is in arg1.records {"n":"0"} | set funResult = indexOf("This is Jake" , "is" ) | project +funResult | limit 1
strlen(string arg) : intReturns the length of the string of arg1 characters.records {"n":"0"} | set funResult = strlen("This is Jake") | project +funResult | limit 1
regex(string text, string pattern) : booleanReturns true if the given text contains the regular expression pattern.records {"n":"0"} | set funResult = regex("This is Jake", "^.is.$") | project +funResult | limit 1
like(string text, string pattern) : booleanReturns true if the given text contains a pattern.records {"n":"0"} | set funResult = like("This is Jake", "isJak?") | project +funResult | limit 1

Aggregator (Acumulator) functions

Function nameDescriptionExample
count(field_name)The number of objects found in a group.src stream="netflow" | aggr clientIpCount = count(clientIp) by protocol unwind=true
sum(field_name)The sum of the field_name values in all objects found in a group.src stream="netflow" | aggr clientBytesSum = sum(clientBytes) by protocol unwind=true
avg(field_name)The average of the field_name values in all objects found in a group.src stream="netflow" | aggr clientBytesAvg = avg(clientBytes) by protocol unwind=true
min(field_name)The lowest of the field_name values in all objects found in a group.src stream="netflow" | aggr clientBytesMin = min(clientBytes) by protocol unwind=true
max(field_name)The highest of the field_name values in all objects found in a group.src stream="netflow" | aggr clientBytesMax = max(clientBytes) by protocol unwind=true
first(field_name)The first value of the field_name in all objects found in a group.src stream="netflow" | aggr clientBytesFisrt = first(clientBytes) by protocol unwind=true
last(field_name)The last value of the field_name in all objects found in a group.src stream="netflow" | aggr clientBytesLast = last(clientBytes) by protocol unwind=true
dc(field_name)The number of unique values of the field_name in all objects found in a group.src stream="netflow" | aggr clientBytesDc = dc(clientBytes) by clientIp unwind=true
join(field_name)The blend of values of the field_name values in all objects found in a group.src stream="netflow" | aggr clientIps = join(clientIp) by protocol unwind=true
prc(field_name [, percentile={double}])The percentile/100 order quantile for each unique key defined by the BY clause of the AGGR command group.src stream="netflow" | aggr clientBytesPrc = prc(clientBytes) by clientIp unwind=true
prc95(field_name)The quantile of 95/100 for each unique key defined by the BY clause of the AGGR command group.src stream="netflow" | aggr clientBytesPrc = prc95(clientBytes) by clientIp unwind=true

Note: The aggregation functions cannot be combined with ordinary functions in aggregations. For example, the command src stream ="netflowByCountryAggr" | aggr mintimestamp=tsToStr(min(timestamp)), in which you want to retrieve the minimum (min) value of the timestamp field and immediately convert the result to text form (tsToStr), will not work. Instead, you can use the set command: src stream ="netflowByCountryAggr" | aggr mintimestamp=min(timestamp) | set mintimestampStr=tsToStr(mintimestamp).


Network object functions

Function nameDescriptionExample
isIp(object arg) : booleanReturns true if arg0 is a valid IPv4 or IPv6 address.records {"n":"0"} | set funResult = isIp("172.16.60.143") | project +funResult | limit 1
isIp4(object arg) : booleanReturns true if arg0 is a valid IPv4 address.records {"n":"0"} | set funResult = isIp4("172.16.60.143") | project +funResult | limit 1
isIp6(object arg) : booleanReturns true if arg0 is a valid IPv6 address.records {"n":"0"} | set funResult = isIp6("2001:db8:3333:4444:5555:6666:1.2.3.4") | project +funResult | limit 1
isIpLoopback(object arg) : booleanReturns true if arg0 is a valid "loopback" address.records {"n":"0"} | set funResult = isIpLoopback("172.16.60.143") | project +funResult | limit 1
isIpMulticast(object arg) : booleanReturns true if arg0 is a valid IP multicast address.records {"n":"0"} | set funResult = isIpMulticast("172.16.60.143") | project +funResult | limit 1
isIpPrivate(object arg) : booleanReturns true if arg0 is a valid private address.records {"n":"0"} | set funResult = isIpPrivate("172.16.60.143") | project +funResult | limit 1
toMac(string arg [,type={string}]) : objectBased on the text representation of the MAC address, returns the MAC address type.records {"n":"0"} | set funResult = toMac("00:00:5e:00:53:af") | project +funResult | limit 1
isMac(object arg) : booleanReturns true if arg0 is a valid MAC address.records {"n":"0"} | set funResult = isMac("00:00:5e:00:53:af") | project +funResult | limit 1
ipToStr(object arg [,short=true/false]) : stringReturns a textual representation of the IP address.records {"n":"0"} | set funResultIp = toIp("172.16.60.143") | set funResultIpStr = ipToStr(funResultIp) | project +funResultIp | limit 1
macToStr(object arg) : stringReturns a textual representation of MAC address.records {"n":"0"} | set funResultMac = toMac("00:00:5e:00:53:af") | set funResultMacStr = macToStr(funResultMac) | project +funResultMacStr | limit 1
toSubnet(string arg) : IpSubnetReturns an object of IbSubnet type based on the text representation of arg1.records {"n":"0"} | set funResult = toSubnet("172.16.60.143") | project +funResult | limit 1
isSubnet(object arg) : booleanReturns true if the passed arg1 is a valid representation of the subnet mask for IP version 4 or 6.records {"n":"0"} | set funResult = isSubnet("172.16.60.143") | project +funResult | limit 1
inSubnet(object ip, object subnet) : booleanReturns true if the passed IP address belongs to the indicated subnet mask.records {"n":"0"} | set funResult = inSubnet("172.16.60.143", "172.16.40.0/24") | project +funResult | limit 1
subnetToStr(object arg) : stringReturns a textual representation of the subnet mask.records {"n":"0"} | set funResult = subnetToStr("172.16.40.0/24") | project +funResult | limit 1

Lookup functions

Function nameDescriptionExample
lookup(string lookupName, string outputKey, map<string, object> input[, default={string} unwind={string}]) : objectFunction returns an outputKey field value of the first found object in the lookupName lookup which meets the criteria defined in input.src stream="alerts" | set nameByPort=lookup("names-app", "name", {"port": "80"}) | project +nameByPort | limit 1
lookupAll(string lookupName, string outputKey, map<string, object> input[, noresult={string}, unwind={string}]) : objectFunction returns an outputKey field value of all objects in the lookupName lookup which meet the criteria defined in input.src stream="alerts" | set portsByName=lookupAll("names-app", "port", {"name": "NETBIOS"}) | project +portsByName | limit 1
lookupKeyExists(string lookupName, map<string, object> input) : booleanFunction checks an occurrence of an object in the lookupName lookup which meets the input criteria.src stream="alerts" | set portExists=lookupKeyExists("names-app", {"port": "80"}) | project +portExists | limit 1

Collection functions

Function nameDescriptionExample
in(object arg1, collection arg2) : booleanReturns true if the arg1 object or number is in the arg2 collection.records {"n":"0"} | set funResult = in("John", ["his", "name", "is" ,"John"]) | project +funResult | limit 1
all(object arg0, collection arg1) : booleanReturns true if arg0 (collections or array) is a subset of arg2 (array or list).records {"n":"0"} | set funResult = all(["a", "b"], ["a", "b", "c"]) | project +funResult | limit 1
any(object arg0, collection arg1) : booleanReturns true if arg1 and arg2 (collections or array) have common elements.records {"n":"0"} | set funResult = any(["value1"], ["value2", "value3"]) | project +funResult | limit 1
none(object arg0, collection arg1) : booleanReturns true if arg1 and arg2 (collections or array) have no common elements.records {"n":"0"} | set funResult = none(["value1"], ["value2", "value3"]) | project +funResult | limit 1
len(collection arg0) : numberReturns the number of elements in a collection (array, list, set).records {"n":"0"} | set funResult = len([1, "two", 3.0]) | project +funResult | limit 1
valueAt(collection arg1, int index) : objectReturns the value from the collection at the specified index.records {"n":"0"} | set funResult = valueAt([1, "two", 3.0], 2) | project +funResult | limit 1
hasKey(string key, map map) : booleanReturns true if key exists in the map map.records {"n":"0"} | set funResult = hasKey("a", {"a": 1}) | project +funResult | limit 1
hasValue(string val, map) : booleanReturns true if the val value exists in the map map.records {"n":"0"} | set funResult = hasValue(1, {"a": 1}) | project +funResult | limit 1
get(int arg1, collection arg2) : objectReturns the value of an element in the arg1 collection for a given arg1 index.records {"n":"0"} | set funResult = get(1, [10,20,30]) | project +funResult | limit 1
getValue(string arg1, map arg2) : booleanReturns the value of the element in the arg2 map after the arg1 key.records {"n":"0"} | set funResult = getValue("a", {"a": 1}) | project +funResult | limit 1
anyMatchingNumber(collection arg1, long mask, long arg2) : booleanReturns true if there is at least one x value in the arg1 collection that meets the condition (x & mask) == arg2, where (x & mask) is the result of an AND operation on the bits.records {"n":0} | set funResult = anyMatchingNumber([1,2,3], 1, 1) | project +funResult
noMatchingNumber(collection arg1, long mask, long arg2) : booleanReturns the opposite value (NOT) to the result of anyMatchingNumber(arg1, mask, arg2).records {"n":0} | set funResult = noMatchingNumber([1,2,3], 1, 1) | project +funResult

Collector functions

Function nameDescriptionExample*
valInColl(object value, string collector, string field_name [, maxCacheSize={int}]) : booleanReturns true if the value exists in the collector in the given field_name.records {"n":"0"} | set funResult = valInColl("Medium", "collectorNo1", "alertSeverity")
collExists(string collector) : booleanReturns true if a collector with the given collector exists.records {"n":"0"} | set funResult = collExists("collectorNo1")
valColl(string collector, string output, Map<String, Object> input [,default={string}])The function returns the value from collector according to the set input matching the criteria and the set output field/column.records {"n":"0"} | set funResult = valColl("collectorNo1", "alertName", {"id": "61ed6f62-dc45fb9a-e1c8b7f1"})

*Examples assume existing of a collector "collectorNo1" created by the command: src stream="alerts" | limit 1000 | dst "collectorNo1"


Operators

Logical operatorsExample
AND or andsrc stream="alerts" |where $eq(alertSeverity,"Medium") AND alertFlagThresholdLevel="Crirical"
OR or orsrc stream="alerts" |where eq(alertSeverity,"Medium") OR eq(alertSeverity,"Hight")
NOT or notsrc stream="alerts" | where not alertSeverity="Medium"
Comparison operators or functionDescriptionExample
= or eq(Equal) Checks if two values are equal. Returns true if they are and false otherwise.src stream="alerts" |where eq(alertSeverity,"Medium")
!= or neq(Not Equal) Checks if two values are not equal. Returns true if they are not equal and false otherwise.src stream="alerts" | where alertSeverity != "Medium"
> or gt(Greater Than) Checks if the first value is greater than the second value. Returns true if it is and false otherwise.src stream="alerts" | where _avgClientBitsPerSecond > 9000
>= or gte(Greater Than or Equal To) Checks if the first value is greater than or equal to the second value. Returns true if it is and false otherwise.src stream="alerts" |where gte(_avgClientBitsPerSecond,1000)
< or lt(Less Than) Checks if the first value is lower than the second value. Returns true if it is and false otherwise.src stream="alerts" | where _avgClientBitsPerSecond < 1000
>= or lte(Less Than or Equal To) Checks if the first value is lower than or equal to the second value. Returns true if it is and false otherwise.src stream="alerts" | where _avgClientBitsPerSecond >= 1000
contains(arg1,arg2)Returns true if arg1 contains the string arg2.src stream="alerts" |where contains(alertFlagThresholdLevel, "Critic")
not_contains(arg1,arg2)Returns true if arg1 does not contain the string arg2.rc stream="alerts" |where not_contains(alertName, "Test")
startsWith(arg1,arg2)Returns true if arg1 starts with the arg2 string.src stream="alerts" |where startsWith(alertRuleType, "Vis")
endsWith(arg1,arg2)Returns true if arg1 ends with the arg2 string.src stream="alerts" |where endsWith(alertRuleType, "ity")
isEmpty(arg1)Returns true if arg1 is empty.src stream="alerts" |where isEmpty(alertRuleType)
isNotEmpty(arg1)Returns true if arg1 is not empty.src stream="alerts" |where $isNotEmpty(alertRuleType)
in(arg1,arg2)Returns true if arg1 is in the arg2 collection.src stream="alerts" | where $in(alertFlagThresholdLevel, ["Crirical", "Minor"])
notIn(arg1,arg2)Returns true if arg1 is not in the arg2 collection.src stream="alerts" |where notIn(alertFlagThresholdLevel, ["Crirical", "Minor"])
~= or like(arg1,arg2)Returns true if arg1 matches the arg2 pattern.src stream="alerts" | where alertFlagThresholdLevel~="Critic*"
=/regexp/ or regex(arg1,arg2)Returns true if arg1 contains the arg2 regular expression pattern.src stream="alerts" | where alertFlagThresholdLevel=/Critic.*/