Informational Functions
This list includes functions designed to obtain information about a value.
isbool(<value>)
This function returns TRUE if the given value is Boolean.
Usage
isbool can be used with eval and where commands to check if a field's value is a Boolean (true or false). This comes in handy for conditional checks and for filtering records that contain a Boolean value in the specified field.
Example
- To add a field named
isBooleanindicating whether theisActivefield is a Boolean:
... | eval isBoolean=if(isbool(isActive), "true", "false")
- To filter records where the
isActivefield is Boolean:
... | where isbool(isActive)
Use-Case Example
Problem: In a dataset containing user activity logs, the isActive field is supposed to be Boolean but sometimes gets incorrectly inputted as a string or number, leading to inaccurate filtering and analysis.
Solution: Use the isbool function to identify and filter records where isActive is correctly a Boolean. This ensures that only records with valid Boolean values are considered in subsequent analysis or processing steps.
Implementation:
... | where isbool(isActive) | stats count by isActive
Explanation:
- The
wherecommand filters records to include only those whereisActiveis a Boolean value, using theisboolfunction directly for filtering. - The
statscommand then counts the number of records grouped by theisActiveBoolean status, providing a count of active vs. inactive users based on accurate Boolean data.
isnum(<value>)
This function returns TRUE if the given value is numeric.
Usage
isnum can be used with eval and where commands to check if a field's value is numeric. This comes in handy for conditional checks and for filtering records that have any numeric value in a field.
Example
- To add a field named
isNumericindicating whether thelatencyfield is numeric:
... | eval isNumeric=if(isnum(latency), "true", "false")
- To filter records where the
latencyfield is numeric:
... | where isnum(latency)
Use-Case Example
Problem: In a dataset containing network traffic logs, the latency field is expected to be numeric. However, due to data entry errors, some records have latency recorded as strings or other non-numeric formats, causing issues in calculations and analysis.
Solution: Use the isnum function to identify and filter records where latency is correctly numeric. This ensures that calculations and analysis are performed only on records with valid numeric latency values.
Implementation:
... | where isnum(latency) | stats avg(latency) as AverageLatency
Explanation:
- The
wherecommand filters records to include only those wherelatencyis numeric, using theisnumfunction directly for filtering. - The
statscommand calculates the average latency from the filtered records, providing insights into network performance based on accurate numeric data.
isint(<value>)
This function returns TRUE if the given value is an integer.
Usage
isint can be used with eval and where commands to check if a field's value is an integer. This comes in handy for conditional checks and for filtering records that have an integer value in the specified field.
Example
- To classify
userAgefield values as integer or not:
... | eval isUserAgeInteger=if(isint(userAge), "true", "false")
- To keep only the records where
userAgeis an integer:
... | where isint(userAge)
Use-Case Example
Problem: A user database contains the userAge field, which should only have integer values. However, some entries have been mistakenly filled with non-integer values, such as strings or floats, causing issues in age-based segmentation.
Solution: Use the isint function to filter out records where userAge is not an integer. This ensures that age-based segmentation and analysis are performed only on records with valid integer age values.
Implementation:
... | where isint(userAge) | stats count by userAge
Explanation:
- The
wherecommand filters records to include only those whereuserAgeis an integer, using theisintfunction for accurate filtering. - The
statscommand then counts the number of users for each age, providing a clear distribution of user ages based on valid integer data.
isnull(<value>)
This function returns TRUE if the given value is NULL.
Usage
isnull can be used with eval and where commands to check if a field's value is NULL. This is particularly useful in conditional expressions and for filtering records based on the presence of NULL values.
Example
- To mark records with a
NULLtransactionAmountas "Not Available":
... | eval transactionStatus=if(isnull(transactionAmount), "Not Available", "Available")
- To exclude records where
transactionAmountisNULL:
... | where isnull(transactionAmount) = FALSE
Use-Case Example
Problem:A dataset includes an email field. Some records are incomplete and do not have an email address, resulting in NULL values. You need to validate whether the email field is null and output a message indicating if the field is null.
Solution: Use the validate function with isnull to check for null values in the email field and print a message accordingly.
Implementation:
... | eval email_check = validate(isnull(email), "ERROR: Email is null", "Email is valid")
Explanation:
- The
validatefunction checks if the email field is NULL. - If the
emailfield is NULL, it returns the message "ERROR: Email is null". If theemailfield is not NULL, it returns the message "Email is valid".
isnotnull(<value>)
This function returns TRUE if the given value is not NULL.
Usage
isnotnull can be used with eval and where commands to check if a field's value is not NULL. This is particularly useful in conditional expressions and for filtering records based on the absence of NULL values.
Example
- To mark records with a non-
NULLcustomerFeedbackas "Received":
... | eval feedbackStatus=if(isnotnull(customerFeedback), "Received", "Awaiting")
- To select records where
customerFeedbackis notNULL:
... | where isnotnull(customerFeedback)
Use-Case Example
Problem: In a dataset of server health logs, some entries may lack critical performance metrics like cpuUsage due to collection errors or misconfigurations.
Solution: Use the validate function to check for the presence of cpuUsage and categorize records for immediate anomaly detection.
Implementation:
... | eval healthStatus=validate(isnotnull(cpuUsage), "Normal", "Alert: CPU Usage Missing")
Explanation:
- This command uses
validateto check ifcpuUsageis notNULL. IfcpuUsageis present, the record is marked as "Normal". Otherwise, it's flagged with "Alert: CPU Usage Missing". - This approach ensures that entries missing
cpuUsageare immediately flagged for anomaly detection.
typeof(<value>)
This function returns the data type of the given value, which can be a literal value or more commonly, a field name in your dataset.
Usage
typeof is versatile and can be used with eval and where commands. It is particularly useful for understanding the data type of fields in your dataset, which can inform data processing and manipulation strategies.
Possible Outputs
- String: Indicates the value is a string.
- Number: Indicates the value is a numeric type.
- Boolean: Indicates the value is a boolean (
TRUEorFALSE). - NULL: Indicates the field is not present or its value is
NULL.
Example
- To determine the data type of a field named
latency:
... | eval fieldType=typeof(latency)
Use-Case Example
Problem: A dataset includes a response_time field. Sometimes, due to logging errors, the response_time field in server logs is recorded as a String instead of a Number. This causes issues in calculations and reporting, as the field should consistently be numerical for accurate analysis.
Solution: Use the typeof command to identify and correct entries where response_time is misclassified as a string, ensuring all data in this field is treated as numerical.
Implementation:
... | eval response_time=if(typeof(response_time)="String", tonumber(response_time), response_time)
Explanation:
- This implementation uses the
typeofcommand to identify entries whereresponse_timeis misclassified as a string. Theiffunction checks the type, and if it is aString,tonumber(response_time)converts it to aNumber. If not, it leaves the field unchanged. This ensures that all data in theresponse_timefield is numeric. By standardizing the data type, this approach prevents errors in downstream processing and reporting.