Scalar functions

String functions

base64_encode_tostring()

Encodes a string as base64 string.

Arguments

• String: Input string or string field to be encoded as base64 string.

Returns

Returns the string encoded as base64 string.

• To decode base64 strings to UTF-8 strings, see base64_decode_tostring()

Examples

base64_encode_tostring(string)

['sample-http-logs']
| extend encoded_base64_string = base64_encode_tostring(content_type)

base64_decode_tostring()

Decodes a base64 string to a UTF-8 string.

Arguments

• String: Input string or string field to be decoded from base64 to UTF8-8 string.

Returns

Returns UTF-8 string decoded from base64 string.

• To encode strings to base64 string, see base64_encode_tostring()

Examples

base64_decode_tostring(string)

['sample-http-logs']
| project decoded_base64_string = base64_decode_tostring( "S3fsVzdG8=" )

countof()

Counts occurrences of a substring in a string.

Arguments

Returns

The number of times that the search string can be matched.

Examples

countof(search, text)

['sample-http-logs']
| project count = countof("con", "content_type")

countof_regex()

Counts occurrences of a substring in a string. regex matches don't.

Arguments

• text source: A string.
• regex search: regular expression to match inside your text source.

Returns

The number of times that the search string can be matched in the dataset. Regex matches do not.

Examples

countof_regex(regex, text)

['sample-http-logs']
| project count = countof_regex("c.n", "content_type")

extract()

Convert the extracted substring to the indicated type.

Arguments

Returns

If regex finds a match in source: the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral.

If there's no match, or the type conversion fails: -1 or string error

Examples

extract(regex, captureGroup, source)

['sample-http-logs']
| project extract_sub =  extract("^.{2,2}(.{4,4})", 1, content_type)

extract("x=([0-9.]+)", 1, "axiom x=65.6|po") == "65.6"

extract_all()

retrieve a subset of matching groups.

Arguments

Returns

• If regex finds a match in source: Returns dynamic array including all matches against the indicated capture groups captureGroups, or all of capturing groups in the regex.
• If number of captureGroups is 1: The returned array has a single dimension of matched values.
• If number of captureGroups is more than 1: The returned array is a two-dimensional collection of multi-value matches per captureGroups selection, or all capture groups present in the regex if captureGroups is omitted.
• If there's no match: -1

Examples

extract_all(regex, [captureGroups,] source)

['sample-http-logs']
| project extract_match =  extract_all(@"(\w)(\w+)(\w)", dynamic([1,3]), content_type)

extract_all(@"(\w)(\w+)(\w)", dynamic([1,3]), content_type) == [["t", "t"],["c","v"]]

format_bytes()

Formats a number as a string reprsenting data size in bytes.

Arguments

Returns

• A formated string for humans

Examples

format_bytes( 4000, number, "['id']", num_comments ) == "3.9062500000000 KB"

format_bytes(value [, precision [, units [, base]]])

format_bytes(1024) == "1 KB"

format_bytes(8000000, 2, "MB", 10) == "8.00 MB"

['github-issues-event']
| project formated_bytes =  format_bytes( 4783549035, number, "['id']", num_comments  )

indexof()

Reports the zero-based index of the first occurrence of a specified string within the input string.

Arguments

Returns

• Zero-based index position of lookup.

• Returns -1 if the string isn't found in the input.

Examples

indexof( body, ['id'], 2, 1, number ) == "-1"

indexof(source,lookup[,start_index[,length[,occurrence]]])

indexof ()

['github-issues-event']
| project occurence = indexof( body, ['id'], 23, 5, number )

isempty()

Returns true if the argument is an empty string or is null.

Returns

Indicates whether the argument is an empty string or isnull.

Examples

isempty("") == true

isempty([value])

['github-issues-event']
| project empty = isempty( num_comments )

isnotempty()

Returns true if the argument isn't an empty string, and it isn't null.

Examples

isnotempty("") == false

isnotempty([value])

notempty([value]) -- alias of isnotempty

['github-issues-event']
| project not_empty = isnotempty( num_comments )

isnotnull()

Returns true if the argument is not null.

Examples

isnotnull( num_comments ) == true

isnotnull([value])

notnull([value]) - alias for `isnotnull`

['github-issues-event']
| project not_null = isnotnull( num_comments )

isnull()

Evaluates its sole argument and returns a bool value indicating if the argument evaluates to a null value.

Returns

True or false, depending on whether or not the value is null.

Examples

isnull(Expr)

['github-issues-event']
| project is_null = isnull( creator )

parse_bytes()

Parses a string including byte size units and returns the number of bytes

Arguments

Returns

• The number of bytes or zero if unable to parse

Examples

parse_bytes(bytes_string [, base])

parse_bytes("1 KB") == 1024

parse_bytes("1 KB", 10) == 1000

parse_bytes("128 Bytes") == 128

parse_bytes("bad data") == 0

['github-issues-event']
| extend parsed_bytes =  parse_bytes("300 KB", 10)

parse_json()

Interprets a string as a JSON value and returns the value as dynamic.

Arguments

json: An expression of type string. It represents a JSON-formatted value,

Returns

An object of type json that is determined by the value of json:

• If json is of type string, and is a properly formatted JSON string, then the string is parsed, and the value produced is returned.

• If json is of type string, but it isn't a properly formatted JSON string, then the returned value is an object of type dynamic that holds the original string value.

Examples

parse_json(json)

['vercel']
| extend parsed = parse_json('{"name":"vercel", "statuscode":200, "region": { "route": "usage streams", "number": 9 }}')

['github-issues-event']
| extend parsed = parse_json( creator )
| where isnotnull( parsed)

parse_url()

Parses an absolute URL string and returns an object contains URL parts.

Arguments

• url: A string represents a URL or the query part of the URL.

Returns

An object of type dynamic that included the URL components: Scheme, Host, Port, Path, Username, Password, Query Parameters, Fragment.

Examples

parse_url("https://www.axiom.co/docs/restapi/introduction")

• Result

{
  "Result": {
    "scheme": "https",
    "path": "/docs/restapi/introduction",
    "host": "www.axiom.co"
  }
}

parse_url(url)

['github-issues-event']
| project parsed_url =  parse_url( "https://www.axiom.co/" )

parse_urlquery()

Returns a dynamic object contains the Query parameters.

Arguments

query: A string represents a url query

Returns

An object of type dynamic that includes the query parameters.

Examples

parse_urlquery("a1=b1&a2=b2&a3=b3")

• Result

{
  "Result": {
    "a3": "b3",
    "a2": "b2",
    "a1": "b1"
  }
}

parse_urlquery(query)

['github-issues-event']
| project parsed = parse_urlquery("https://play.axiom.co/axiom-play-qf1k/explorer?qid=fUKgiQgLjKE-rd7wjy")

replace()

Replace all regex matches with another string.

Arguments

• regex: The regular expression to search source. It can contain capture groups in '('parentheses')'.
• rewrite: The replacement regex for any match made by matchingRegex. Use \0 to refer to the whole match, \1 for the first capture group, \2 and so on for subsequent capture groups.
• source: A string.

Returns

• source after replacing all matches of regex with evaluations of rewrite. Matches do not overlap.

Examples

replace(regex, rewrite, source)

replace_regex()

Replaces all regex matches with another string.

Arguments

• text: A string.
• regex: The regular expression to search text.
• rewrite: The replacement regex for any match made by matchingRegex.

Returns

source after replacing all matches of regex with evaluations of rewrite. Matches do not overlap.

Example

replace_regex( "repo", "axiom$", "axiom-monitoring" )

• Result

{
  "replaced": "axiom-monitoring"
}

replace_regex(text,regex, rewrite)

['github-issues-event']
| extend replaced = replace_regex( "repo", "axiom$", "replace" )

replace_string()

Replaces all string matches with another string.

Arguments

• text: A string.
• lookup: A string to be replaced.
• rewrite: A replacement string.

Returns

text after replacing all matches of lookup with evaluations of rewrite. Matches do not overlap.

Examples

replace_string( "creator", "github", "axiom" )

• Result

{
  "replaced_string": "axiom"
}

replace_string(text, lookup, rewrite)

['github-issues-event']
| extend replaced_string = replace_string( "creator", "github", "replace" )

reverse()

Function reverses the order of the input Field.

Arguments

Returns

The reverse order of a field value.

Examples

reverse(value)

project reversed = reverse("axiom")

• Result

moixa

split()

Splits a given string according to a given delimiter and returns a string array with the contained substrings.

Optionally, a specific substring can be returned if exists.

Arguments

• source: The source string that will be split according to the given delimiter.
• delimiter: The delimiter (Field) that will be used in order to split the source string.

Returns

• A string array that contains the substrings of the given source string that are delimited by the given delimiter.

Examples

split(source, delimiter)

project split_str = split("axiom_observability_monitoring", "_")

• Result

{
  "split_str": [
    "axiom",
    "observability",
    "monitoring"
  ]
}

strcat()

Concatenates between 1 and 64 arguments.

If the arguments aren't of string type, they'll be forcibly converted to string.

Arguments

• argument1 ... argumentN: Expressions to be concatenated.

Returns

Arguments, concatenated to a single string.

Examples

strcat(argument1, argument2[, argumentN])

['github-issues-event']
| project stract_con = strcat( ['milestone.creator'], number )

['github-issues-event']
| project stract_con = strcat( 'axiom', number )

• Result

{
  "stract_con": "axiom3249"
}

strcat_delim()

Concatenates between 2 and 64 arguments, with delimiter, provided as first argument.

• If arguments aren't of string type, they'll be forcibly converted to string.

Arguments

• delimiter: string expression, which will be used as separator.
• argument1 ... argumentN: Expressions to be concatenated.

Returns

Arguments, concatenated to a single string with delimiter.

Examples

strcat_delim(delimiter, argument1, argument2[ , argumentN])

['github-issues-event']
| project strcat = strcat_delim(":", actor, creator)

project strcat = strcat_delim(":", "axiom", "monitoring")

• Result

{
  "strcat": "axiom:monitoring"
}

strcmp()

Compares two strings.

The function starts comparing the first character of each string. If they are equal to each other, it continues with the following pairs until the characters differ or until the end of shorter string is reached.

Arguments

• string1: first input string for comparison.
• string2: second input string for comparison.

Returns

Returns an integral value indicating the relationship between the strings:

• When the result is 0: The contents of both strings are equal.
• When the result is -1: the first character that does not match has a lower value in string1 than in string2.
• When the result is 1: the first character that does not match has a higher value in string1 than in string2.

Examples

strcmp(string1, string2)

['github-issues-event']
| extend cmp = strcmp( body, repo )

``apl copy project cmp = strcmp( "axiom", "observability")

- Result 

```json copy
{
  "input_string": -1
}

strlen()

Returns the length, in characters, of the input string.

Arguments

• source: The source string that will be measured for string length.

Returns

Returns the length, in characters, of the input string.

Examples

strlen(source)

project str_len =  strlen("axiom")

• Result

{
  "str_len": 5
}

strrep()

Repeats given string provided amount of times.

• In case if first or third argument is not of a string type, it will be forcibly converted to string.

Arguments

• value: input expression
• multiplier: positive integer value (from 1 to 1024)
• delimiter: A string expression (default: empty string)

Returns

• Value repeated for a specified number of times, concatenated with delimiter.

• In case if multiplier is more than maximal allowed value (1024), input string will be repeated 1024 times.

Examples

strrep(value,multiplier,[delimiter])

['github-issues-event']
| extend repeat_string = strrep( repo, 5, "::" )

project repeat_string = strrep( "axiom", 3, "::" )

• Result

{
  "repeat_string": "axiom::axiom::axiom"
}

substring()

Extracts a substring from a source string starting from some index to the end of the string.

Arguments

• source: The source string that the substring will be taken from.
• startingIndex: The zero-based starting character position of the requested substring.
• length: A parameter that can be used to specify the requested number of characters in the substring.

Returns

A substring from the given string. The substring starts at startingIndex (zero-based) character position and continues to the end of the string or length characters if specified.

Example

substring(source, startingIndex [, length])

['github-issues-event']
| extend extract_string = substring( repo, 4, 5 )

project extract_string = substring( "axiom", 4, 5 )

{
  "extract_string": "m"
}

toupper()

Converts a string to upper case.

toupper("axiom") == "AXIOM"

['github-issues-event']
| extend upper = toupper( body )

tolower()

Converts a string to lower case.

tolower("AXIOM") == "axiom"

['github-issues-event']
| extend low = tolower( body )

trim()

Removes all leading and trailing matches of the specified cutset.

Arguments

• source: A string.
• cutset: A string containing the characters to be removed.

Returns

source after trimming matches of the cutset found in the beginning and/or the end of source.

Examples

trim(source)

['github-issues-event']
| extend remove_leading_matches = trim( "locked", repo)

project remove_leading_matches = trim( "axiom", "observability")

• Result

{
  "remove_leading_matches": "bservability"
}

trim_regex()

Removes all leading and trailing matches of the specified regular expression.

Arguments

• regex: String or regular expression to be trimmed from the beginning and/or the end of source.
• source: A string.

Returns

source after trimming matches of regex found in the beginning and/or the end of source.

Examples

trim_regex(regex, source)

['github-issues-event']
| extend remove_trailing_match_regex = trim_regex( "^github", action )

• Result

{
  "remove_trailing_match_regex": "closed"
}

trim_end()

Removes trailing match of the specified cutset.

Arguments

• source: A string.
• cutset: A string containing the characters to be removed.`

Returns

source after trimming matches of the cutset found in the end of source.

Examples

trim_end(source)

['github-issues-event']
| extend remove_cutset = trim_end(@"[^\w]+", body)

• Result

{
  "remove_cutset": "In [`9128d50`](https://7aa98788e07\n), **down**:\n- HTTP code: 0\n- Response time: 0 ms\n"
}

trim_end_regex()

Removes trailing match of the specified regular expression.

Arguments

• regex: String or regular expression to be trimmed from the end of source.
• source: A string.

Returns

source after trimming matches of regex found in the end of source.

Examples

trim_end_regex(regex, source)

['github-issues-event']
| project  remove_cutset_regex = trim_end_regex( "^github", creator )

• Result

{
  "remove_cutset_regex": "axiomhq"
}

trim_start()

Removes leading match of the specified cutset.

Arguments

• source: A string.

Returns

• source after trimming match of the specified cutset found in the beginning of source.

Examples

trim_start(source)

['github-issues-event']
| project remove_cutset = trim_start( "github", repo)

• Result

{
  "remove_cutset": "axiomhq/next-axiom"
}

trim_start_regex()

Removes leading match of the specified regular expression.

Arguments

• regex: String or regular expression to be trimmed from the beginning of source.
• source: A string.

Returns

source after trimming match of regex found in the beginning of source.

Example

trim_start_regex(regex, source)

['github-issues-event']
| project remove_cutset = trim_start_regex( "github", repo)

• Result

{
  "remove_cutset": "axiomhq/next-axiom"
}

url_decode()

The function converts encoded URL into a to regular URL representation.

Arguments

• encoded url: encoded URL (string).

Returns

URL (string) in a regular representation.

Examples

url_decode(encoded url)

['github-issues-event']
| project decoded_link = url_decode( "https://www.axiom.co/" )

• Result

{
  "decoded_link": "https://www.axiom.co/"
}

url_encode()

The function converts characters of the input URL into a format that can be transmitted over the Internet.

Arguments

• url: input URL (string).

Returns

URL (string) converted into a format that can be transmitted over the Internet.

Example

url_encode(url)

['github-issues-event']
| project encoded_url = url_encode( "https://www.axiom.co/" )

• Result

{
  "encoded_link": "https%3A%2F%2Fwww.axiom.co%2F"
}

gettype()

Returns the runtime type of its single argument.

Arguments

• Expressions

Returns

A string representing the runtime type of its single argument.

Examples

parse_csv()

Splits a given string representing a single record of comma-separated values and returns a string array with these values.

Arguments

• csv_text: A string representing a single record of comma-separated values.

Returns

A string array that contains the split values.

Examples

parse_csv("axiom,logging,observability") ==  [ "axiom", "logging", "observability" ]

parse_csv("axiom, processing, language")  == [ "axiom", "processing", "language" ]

['github-issues-event']
| project parse_csv("github, body, repo")