Functions
| <function> | ::= | <function_name> ( <argument_list> ) |
| <argument_list> | ::= |
<field_expr> [ , <field_expr> ... ] |
| <empty> |
Log Parser functions take zero or more field-expressions as arguments, process the arguments, and return a single value.
Remarks:
-
Generally, functions that take no arguments and functions whose arguments are
constant values
are executed and replaced with the return
value before the query is processed.
As an example, the following query uses a function with no arguments and a function with constant arguments:
SELECT COMPUTER_NAME(), SUM(4, 5), TimeGenerated FROM System
Before being processed, the query is modified as follows:
SELECT 'MYSERVER0', 9, TimeGenerated FROM System
The only zero-argument functions that are not replaced with their return value before the query is processed are:
Functions:
Arithmetical
ADD
BIT_AND
BIT_NOT
BIT_OR
BIT_SHL
BIT_SHR
BIT_XOR
DIV
EXP
EXP10
FLOOR
LOG
LOG10
MOD
MUL
QNTFLOOR_TO_DIGIT
QNTROUND_TO_DIGIT
QUANTIZE
ROUND
SQR
SQRROOT
SUB
Conversion
HEX_TO_INT
INT_TO_IPV4
IPV4_TO_INT
TO_DATE
TO_HEX
TO_INT
TO_LOCALTIME
TO_REAL
TO_STRING
TO_TIME
TO_TIMESTAMP
TO_UTCTIME
String Manipulation
EXTRACT_EXTENSION
EXTRACT_FILENAME
EXTRACT_PATH
EXTRACT_PREFIX
EXTRACT_SUFFIX
EXTRACT_TOKEN
EXTRACT_VALUE
HEX_TO_ASC
HEX_TO_HEX16
HEX_TO_HEX32
HEX_TO_HEX8
HEX_TO_PRINT
INDEX_OF
LAST_INDEX_OF
LTRIM
REPLACE_CHR
REPLACE_STR
ROT13
RTRIM
STRCAT
STRCNT
STRLEN
STRREPEAT
STRREV
SUBSTR
TO_LOWERCASE
TO_UPPERCASE
TRIM
URLESCAPE
URLUNESCAPE
System Information
COMPUTER_NAME
RESOLVE_SID
REVERSEDNS
SYSTEM_DATE
SYSTEM_TIME
SYSTEM_TIMESTAMP
SYSTEM_UTCOFFSET
Miscellaneous
CASE
COALESCE
HASHMD5_FILE
HASHSEQ
IN_ROW_NUMBER
OUT_ROW_NUMBER
REPLACE_IF_NOT_NULL
SEQUENCE
WIN32_ERROR_DESCRIPTION
Note: The REPLACE_IF_NULL function has
been deprecated in favor of the COALESCE
function.
See also:
Aggregate FunctionsConstant Values
Field Expressions