toString(expression)
| Cast operation that converts the value of expression to a string. | String | toString(123) returns '123'
|
startsWith('string', 'prefix')
|
Checks if the string begins with the prefix.
An alternative form of beginsWith(). | Boolean | startsWith('Exabeam', 'Exa') returns true
|
beginsWith('string', 'prefix')
|
Checks if the string begins with the prefix.
An alternative form of startsWith(). | Boolean | beginsWith('Exabeam', 'Exa' returns true
|
startsWithAny('string', 'p1', ..., 'pn')
|
Checks if string begins with any of the prefixes p1 ... pn.
An alternative form of beginswithAny(). | Boolean | startsWithAny('Exabeam', 'Exa', '123', 'Prefix') returns true
|
beginsWithAny('string', 'p1', ..., 'pn')
|
Checks if string begins with any of the prefixes p1 ... pn.
An alternative form of startswithAny(). | Boolean | beginsWithAny('Exabeam', 'Exa', '123', 'Prefix') returns true
|
lcp('s1', ..., 'sn')
| Evaluates the longest common prefix among string arguments s1 ... sn. An alternative form of LeastCommonPrefix(). | String | lcp('Exabeam', 'Exameter') returns 'Exa'
|
LeastCommonPrefix('s1', ..., 'sn')
| Evaluates the longest common prefix among string arguments s1 ... sn. An alternative form of lps(). | String | LeastCommonPrefix('Exabeam', 'Exameter') returns 'Exa'
|
lcs('s1', ..., 'sn')
| Evaluates the longest common suffix among string arguments s1 ... sn. The evaluation is case-sensitive. An alternative form of LeastCommonSuffix(). | String | lcs('Exabeam', 'Jim Beam') returns 'eam'
|
LeastCommonSuffix('s1', ..., 'sn')
| Evaluates the longest common suffix among string arguments s1 ... sn. The evaluation is case-sensitive. An alternative form of lcs(). | String | LeastCommonSuffix('Exabeam', 'Jim Beam') returns 'eam'
|
endsWith('string', 'substring')
|
Checks whether string ends with substring.
| Boolean | endsWith('filename.txt', '.txt') returns true
|
endsWithAny('string', 's1', ..., 'sn')
|
Checks if string ends with any of the substrings s1, ..., sn.
| Boolean | endsWithAny('filename.txt', '.txt', '.pdf', '.docx') returns true.
|
concat('s1', ..., 'sn')
|
Concatenates arguments as a single string. | String | concat('hello', ' ', 'world') returns 'hello world'
|
joinifexists(f1, ..., fn)
| Concatenates value of fields f1 ..., fn if all field values are non-empty; otherwise, returns an empty string or null. | String | joinifexists(first_name, ' ', last_name) returns 'Barbara Salazar' if first_name is Barbara and last_name in Salazar
|
contains('string', 'substring')
|
Checks whether string contains substring.
| Boolean | contains('exabeam', 'beam') returns true
|
containsAny('string', 's1', ..., 'sn')
|
Checks whether string contains any of the substrings s1, ..., sn.
| Boolean | containsAny('exabeam', 'exa', 'acme') returns true
containsAny(GetGeoInfo('isp', src_ip),'microsoft corporation', 'zscaler') checks if a source IP address belongs to the Microsoft Corporation or Zscaler internet service providers.
GetGeoInfo('isp', src_ip) returns the ISP of the source IP address.
containsAny() returns true if the ISP contains microsoft corporation or zscaler.
containsAny(geo_src_ip, 'microsoft corporation, 'zscaler') returns true if the value of the geo_src_ip field contains microsoft corporation or zscaler.
|
slice('string', from, until)
| Extracts a substring from string starting at index from and up to but not including index until. | String | slice('hello', 2, 4) returns 'll'
|
replace('string', 's1', 's2')
| In string, replace every substring s1, interpreted as a literal string, with substring s2. | String | replace('Exabeam', 'beam', 'meter') returns 'Exameter'
|
replaceAll('string', regex, 's2')
| In string, replaces every occurrence of substring that matches a regular expression regex with substring s2. | String | replaceAll('Hello Exabeam Hello Exabeam', /Exabeam/, 'Barbara') returns 'Hello Barbara Hello Barbara'
|
replaceFirst('string', regex, 's2'
| In string, replaces the first occurrence of a substring that matches regular expression regex with substring s2. | | replaceFirst('Hello Exabeam Hello Exabeam', /Exabeam/, 'Barbara') returns 'Hello Barbara Hello Exabeam'
|
take('string',n)
| Keeps first n characters in string and removes the rest. | String | take('hello', 2) returns 'he'
|
takeright('string', n)
| Keeps last n characters in string and removes the rest. | String | takeright('hello' 2) returns 'lo'
|
chopBefore('string', 'pattern', n)
|
Removes all characters from string before and including the n-th occurrence of a pattern.
| String | chopBefore('a.b.c', '.', 2) returns 'c'
|
chopAfter('string', 'pattern', n)
|
Removes all characters from string after and including the n-th occurrence of a pattern.
| String | chopAfter('a.b.c', '.', 2) returns 'a.b'.
|
drop('string', n)
|
Removes the first n characters from string.
| String | drop('hello', 2) returns 'llo'
|
dropright('string', n)
|
Removes the last n characters from string.
| String | dropright('hello', 2) returns 'hel'
|
stripPrefix('string', 'prefix')
| Removes prefix from string if present. The prefix argument is case sensitive. | String | stripPrefix('Exabeam', 'Exa') returns 'beam'
|
stripSuffix('string', 'suffix')
| Removes suffix from string if present. The prefix argument is case sensitive. | String | stripSuffix('Exabeam', 'beam' returns 'Exa'
|
trim('string')
| Remove leading and trailing whitespace from string. | String | trim(' Exabeam ') returns 'Exabeam'
|
toLower('string')
| Converts string to all lowercase. | String | toLower('HELLO') returns 'hello'
|
toUpper('string')
| Converts string to all uppercase. | String | toUpper('hello') returns 'HELLO'
|
indexOf('string', 'pattern')
|
Evaluates the zero-based index of the first occurrence of pattern in string. If pattern is not present, returns -1. | Integer | indexOf('hello', 'e') returns 1
|
lastIndexOf('string','pattern')
| Evaluates the zero-based index of the last occurence of pattern in string. If pattern is not present, returns -1. | Integer | lastIndexOf('hello', 'l') returns 3
|
length('string')
| Evaluates the length of string. | Integer | length('hello') returns 5
|
format('formatspec', argument)
| Formats argument according to format string formatspec. | Formatted argument | format('%.2f', 2.34567) returns 2.35.
|
