Functions with a general purpose.
Returns entities matching the specified entity selector.
You can use the returned entity IDs to filter entities based on their ID. The classicEntitySelector function is only supported as in(field, classicEntitySelector("..")).
To learn more, see entity selector.
classicEntitySelector(entitySelector)
Parameter
Type
Description
Required
The data type of the returned value is array.
In this example, the query fetches all logs for pod running on the Kubernetes namespace CLOUD_APPLICATION_NAMESPACE-1B6CFC8C542A2273.
fetch logs| filter in(dt.entity.cloud_application_instance, classicEntitySelector("type(CLOUD_APPLICATION_INSTANCE),toRelationShip.IS_NAMESPACE_OF_CAI(type(CLOUD_APPLICATION_NAMESPACE), entityId(CLOUD_APPLICATION_NAMESPACE-1B6CFC8C542A2273))"))
Returns the attribute value for an entity.
If you do not define an alias for a field added using the entityAttr function, the default field name will be <entity-type>.<attribute-name>.
entityAttr(expression, name [, type])
Parameter
Type
Description
Required
expression
entity type
The expression to determine the entity ID.
required
name
string
The entity attribute name that shall be queried.
required
type
string
The entity type that shall be queried.
optional
The data type of the returned value depends on the queried entity attribute.
timeseries avg(dt.host.cpu.idle), by:{ dt.entity.host }| fieldsAdd entityAttr(dt.entity.host, "tags")
Returns the name of an entity.
If you do not define an alias for a field added using the entityName function, the default field name will be <entity-type>.name.
entityName(expression [, type])
Parameter
Type
Description
Required
expression
entity type
The expression to determine the entity ID.
required
type
string
The entity type that shall be queried.
optional
The data type of the returned value is a string.
fetch bizevents| fieldsAdd entityName(dt.entity.host)
Tests if a field exists.
exists(field)
Parameter
Type
Description
Required
field
field identifier
The name of the field that will be checked if it exists.
required
The data type of the returned value is boolean.
In this example, the query fetches a single log record and uses the exists function to test if various fields exist in the record.
fetch logs| limit 1| fields exists(timestamp), exists(content), exists(non.existing.field)
Query result:
exists(timestamp)
exists(content)
exists(non.existing.field)
true
true
false
Tests if a value is a member of an array.
The in function supports multiple haystacks and allows arrays in all arguments.
in(needle, haystack, …)
Parameter
Type
Description
Required
needle
array, boolean, double, duration, ip, long, record, string, timeframe, timestamp
The element(s) to search for (the needle).
required
haystack
array, boolean, double, duration, ip, long, record, string, timeframe, timestamp
The elements to search for the needle element (the haystack).
required
The data type of the returned value is boolean.
data record(a = "java"),record(a = "python"),record(a = "dotnet"),record(a = "rust")| fieldsAdd in(a, {"java", "go", "rust"})
Query result:
a
in(a, {"java", "go", "rust"})
java
true
python
false
dotnet
false
rust
true
data record(technologies = array("Java", "Spring", "Jetty")),record(technologies = array("Python", "Flask")),record(technologies = array("Java", "Hibernate"))| fieldsAdd in(technologies, "Python", "Hibernate"),in(technologies, array("Spring", "Flask"))
Query result:
technologies
in(technologies, {"Python", "Hibernate"})
in(technologies, array("Spring", "Flask"))
[Java, Spring, Jetty]
false
true
[Python, Flask]
true
true
[Java, Hibernate]
true
false
Creates a record from the keys and values of the parameter.
record(expression, …)
Parameter
Type
Description
Required
expression
array, boolean, double, duration, ip, long, record, string, timeframe, timestamp
An expression to add to the record.
required
The data type of the returned value is record.
data record(executable = "java", technologies = array("Java", "Spring", "Jetty")),record(executable = "python", technologies = array("Python", "Flask")),record(executable = "java", technologies = array("Java", "Jetty", "Hibernate"))
Query result:
executable
technologies
java
[Java, Spring, Jetty]
python
[Python, Flask]
java
[Java, Jetty, Hibernate]