An example article for functions.
Formats a given timestamp according to a format string using a given pattern.
Timestamps according to the ISO 8601 standard can be parsed and converted to the timestamp
datatype.
The function is using the Java DateTime Formatter and supports the consecutive formatting patterns and symbols.
formatTimestamp(<timestamp> [, interval: <interval>] [, format: <format>])
TBD. Details about the syntax description here. (Included as snippet)
Parameter
Type
Description
Required
timestamp
timestamp
The timestamp to be formatted.
required
interval
duration
The granularity of the formatted timestamp. The default is: 1 ns
.
optional
format
string
The formatting pattern. The default is: YYYY-MM-dd...
.
optional
The function returns the timestamp
formatted according to the formatting pattern format
. The data type of the returned value is string
.
data record(timestamp = toTimestamp("2019-08-01T09:30:00.000-0400"))| fieldsAdd formatted = formatTimestamp(timestamp, format:"MM-dd-YYYY"),year = formatTimestamp(timestamp, format:"Y"),month = formatTimestamp(timestamp, format:"M"),week = formatTimestamp(timestamp, format:"w"),dayofWeek = formatTimestamp(timestamp, format:"E"),hour = formatTimestamp(timestamp, format:"H")
Query result:
timestamp
formatted
year
month
week
dayofWeek
hour
2019-08-01T13:30:00.000Z
08-01-2019
2019
8
31
Thu
13
Searches records for a specific value in a given attribute.
matchesValue(<expression>, <value> [, caseSensitive: <caseSensitive>])
TBD. Details about the syntax description here. (Included as snippet)
Parameter
Type
Description
Required
expression
string, array
The expression (string or array of strings) that should be checked.
required
value
string
The value to search for using patterns.
required
caseSensitive
boolean
Whether the match should be done case-sensitive.
optional
The function returns true
if the search pattern value
is found in the string expression
, or otherwise false
. The data type of the returned value is boolean
.
Values are matched case-insensitive by default:
data record(content = "User 'käärmanü' failed to login from 192.168.0.1")| fieldsAdd matchesValue(content, "User*"),matchesValue(content, "user*"),matchesValue(content, "user*", caseSensitive: true)
Query result:
content
matchesValue(content, "User*")
matchesValue(content, "user*")
matchesValue(content, "user*", caseSensitive:TRUE)
User 'käärmanü' failed to login from 192.168.0.1
true
true
false
Values are matched from the beginning. To match parts of the value, use *
as wildcard symbol:
data record(content = "User 'käärmanü' failed to login from 192.168.0.1")| fieldsAdd matchesValue(content, "192.168.0.1"),matchesValue(content, "*192.168.0.1"),matchesValue(content, "*failed to log*")
Query result:
content
matchesValue(content, "192.168.0.1")
matchesValue(content, "*192.168.0.1")
matchesValue(content, "*failed to log*")
User 'käärmanü' failed to login from 192.168.0.1
false
true
true
Only ASCII characters are matched case-insensitive:
data record(content = "Österreich")| fieldsAdd matchesValue(content, "österreich"),matchesValue(content, "Österreich")
Query result:
content
matchesValue(content, "österreich")
matchesValue(content, "Österreich")
Österreich
false
true
The function handles values of arrays in "any-match" manner.
data record(technologies = array("Java11", "java17"))| fieldsAdd matchesValue(technologies, "Java11"),matchesValue(technologies, "java"),matchesValue(technologies, "java*")
Query result:
technologies
matchesValue(technologies, "Java11")
matchesValue(technologies, "java")
matchesValue(technologies, "java*")
[Java11, java17]
true
false
true