Functions with a general purpose.
Returns entities matching the specified entity selector.
You can use the returned entity IDs to filter entities based on their ID. The classicEntitySelector function is only supported as in(field, classicEntitySelector("..")).
To learn more, see entity selector.
classicEntitySelector(entitySelector)
The data type of the returned value is array.
In this example, the query fetches all logs for pod running on the Kubernetes namespace CLOUD_APPLICATION_NAMESPACE-1B6CFC8C542A2273.
fetch logs| filter in(dt.entity.cloud_application_instance, classicEntitySelector("type(CLOUD_APPLICATION_INSTANCE),toRelationShip.IS_NAMESPACE_OF_CAI(type(CLOUD_APPLICATION_NAMESPACE), entityId(CLOUD_APPLICATION_NAMESPACE-1B6CFC8C542A2273))"))
To use this function, you need the storage:entities:read permissions. For details, see Permissions in Grail.
Returns the attribute value for an entity.
If you do not define an alias for a field added using the entityAttr function, the default field name will be <entity-type>.<attribute-name>.
To use this function, you need the storage:entities:read permissions. For details, see Permissions in Grail.
entityAttr(expression, name [, type])
The data type of the returned value depends on the queried entity attribute.
timeseries avg(dt.host.cpu.idle), by:{ dt.entity.host }| fieldsAdd entityAttr(dt.entity.host, "tags")
To use this function, you need the storage:entities:read permissions. For details, see Permissions in Grail.
Returns the name of an entity.
If you do not define an alias for a field added using the entityName function, the default field name will be <entity-type>.name.
entityName(expression [, type])
The data type of the returned value is a string.
fetch bizevents| fieldsAdd entityName(dt.entity.host)
To use this function, you need the storage:entities:read permissions. For details, see Permissions in Grail.
Tests if a field exists.
exists(field)
The data type of the returned value is boolean.
In this example, the query fetches a single log record and uses the exists function to test if various fields exist in the record.
fetch logs| limit 1| fields exists(timestamp), exists(content), exists(non.existing.field)
Query result:
Tests if a value is a member of an array.
The in function supports multiple haystacks and allows arrays in all arguments.
in(needle, haystack, …)
The data type of the returned value is boolean.
data record(a = "java"),record(a = "python"),record(a = "dotnet"),record(a = "rust")| fieldsAdd in(a, {"java", "go", "rust"})
Query result:
data record(technologies = array("Java", "Spring", "Jetty")),record(technologies = array("Python", "Flask")),record(technologies = array("Java", "Hibernate"))| fieldsAdd in(technologies, "Python", "Hibernate"),in(technologies, array("Spring", "Flask"))
Query result:
Creates a record from the keys and values of the parameter.
record(expression, …)
The data type of the returned value is record.
data record(executable = "java", technologies = array("Java", "Spring", "Jetty")),record(executable = "python", technologies = array("Python", "Flask")),record(executable = "java", technologies = array("Java", "Jetty", "Hibernate"))
Query result: