Operations reference

See the following table for a complete list of operations you can perform in the Devo platform to transform your data and get the required results. Remember that you can apply operations to your data using the tools in the search window or writing them directly in your query script using LINQ.

How to use this reference

Each operation in the table includes the following information:

Operation name - Click the name of any operation to learn how to apply it using the search window interface and how to write it using LINQ, as well as further examples and details, such as required input data types and output data types in case of Aggregation and Create column operations.
Description - Brief definition of the operation and the expected results. In the Devo search window, operations are classified into Aggregation (using the group every... and select... as... commands in LINQ), Filter (using the where... command in LINQ) and Create column operations (using the select... as... command in LINQ). If an operation belongs to more than one type, you will see a description for each one.
Valid formats - See the possible ways of applying each operation using LINQ (number of arguments, different operators...) and required input data types. The resulting output data type is also shown. Note that it only applies for Create column and Aggregation operations, since Filter operations do not add additional columns.

Operations are ordered alphabetically in the table. Find the required operation using CTRL + F.

Operation name	Description	Valid formats
Absolute URI	Filter - Retrieves only absolute URIs from a specified field. Create column - Creates a Boolean column that shows true if a given URI is absolute.	`absoluteuri(string`) `→` `boolean`
Absolute value	Create column - Adds a new column that returns the non-negative values of the numbers in a numeric field.	`abs(number`) `→` `number`
Addition, sum, plus / Concatenation	Create column - Adds a new column that returns the addition or concatenation of the elements in the given fields. Depending on the input data types, this operation retrieves different results. See the operation article for more details.	`number1 + number2 +... → number` `duration1 + duration2 +... → duration` `timestamp + duration → timestamp` `string1 + string2 +... → string` `add(number1, number2,...) → number` `add(duration1, duration2,...) → duration` `add(timestamp, duration) → timestamp` `add(string1, string2,...) → string`
And	Filter - Retrieves those events where all the given Boolean column values are true. Create column - Creates a Boolean column that returns true only if all the given arguments are true.	`boolean1 and boolean2 and ... → boolean`
Any name matches	Filter - Filters a field containing sets of names in set(name) format and shows only those values that match one or more of the specified patterns. Create column - Creates a new Boolean column that shows true when the values in a set(name) field match one or more of the specified patterns. Learn more about the set(name) and namepattern data types in the operation article.	`anymatches(setname, nameglob(string)) → boolean` `anymatches(setname, namepattern) → boolean`
Approximated estimation	Create column - Computes the approximated estimation of a set of distinct counts in dc data type. Learn more about the dc data type in the operation article.	`estimation(dc) → float`
Arc cosine	Create column - Adds a new column that returns the arc cosine of the values of a numeric field.	`acos(number) → float`
Arc sine	Create column - Adds a new column that returns the arc sine of the values of a numeric field.	`asin(number) → float`
Arc tangent	Create column - Creates a new column that returns the arc tangent of the values of a numeric field. When applied with two arguments, it returns the arc tangent of the specified x- and y-coordinates.	`atan(number) → float` `atan(number1, number2) → float`
Average	Aggregation - Calculates the average of the grouped values of the selected numeric field.	`avg(number) → number`
Bitwise AND	Create column - Creates a new column that retrieves the Bitwise AND of the specified arguments.	`band(integer1, integer2) → integer` `integer1 & integer2 → integer`
Bitwise left shift	Create column - Creates a new column that shifts to the left the bits of the values in the first argument as many positions as specified in the second argument.	`lshift(integer1, integer2) → integer` `integer1 << integer2 → integer`
Bitwise NOT	Create column - Creates a new column that retrieves the Bitwise NOT of the specified argument.	`bnot(integer) → integer` `~(integer) → integer`
Bitwise OR	Create column - Creates a new column that retrieves the Bitwise OR of the specified arguments.	`bor(integer1, integer2) → integer` `integer1 \| integer2 → integer`
Bitwise right shift	Create column - Creates a new column that shifts to the right the bits of the values in the first argument as many positions as specified in the second argument. This operation keeps the sign bit intact, so the sign of the original number is always preserved. Use Bitwise unsigned right shift (urshift, >>>) if you don't want to preserve the sign bit.	`rshift(integer1, integer2) → integer` `integer1 >> integer2 → integer`
Bitwise unsigned right shift	Create column - Creates a new column that shifts to the right the bits of the values in the first argument as many positions as specified in the second argument. This operation always fills vacant places after shifting with zeros, so the sign of the original number may vary. Use Bitwise right shift (rshift, >>) if you want to preserve the sign of the original number.	`urshift(integer1, integer2) → integer` `integer1 >>> integer2 → integer`
Bitwise XOR	Create column - Creates a new column that retrieves the Bitwise XOR of the specified arguments.	`bxor(integer1, integer2) → integer` `integer1 ^ integer2 → integer`
Ceiling	Create column - Adds a new column that rounds the values of a numeric field, returning the smallest following integer numbers. Use Floor (floor) if you want to get the largest previous integers.	`ceil(number) → number`
Conditional	Create column - Adds a new column that returns the second argument if the column given as first argument (must be a Boolean field) shows true, and the third argument if it shows false.	`ifthenelse(boolean, value1_true, value2_false) → value`
Contains	Filter - Checks for the presence of one or more values in a given string. The filter will identify those strings containing at least one of the indicated values. Create column - Creates a Boolean column that shows true when at least one of the indicated values is present in the given string. If you enter your query using LINQ, note that the `->` operator syntax does not admit more than two arguments. Use the `has()` syntax if you need to add more than one value. This operation is case sensitive. Use the Contains - case insensitive (weakhas) operation if you need to apply this filter ignoring case.	`string_general -> string_value → boolean` `has(string_general, string_value1, string_value2...) → boolean`
Contains - case insensitive	Filter - Returns only those strings that contain a specified value, ignoring case. Create column - Creates a Boolean column that shows true when the indicated value is present in the given string, ignoring case. Use the Contains (has, ->) operation if you need to discriminate between uppercase and lowercase letters.	`weakhas(string_general, string_value) → boolean`
Contains tokens	Filter - Returns only those strings including a specific token. Optionally, you can add one or two boolean values to extend the left and right length of the token. Create column - Adds a new Boolean column that shows true when a specific token is present in a given string. Optionally, you can add one or two boolean values to extend the left and right length of the token.	`toktains(string1, string2) → boolean` `toktains(string1, string2, boolean_left) → boolean` `toktains(string1, string2, boolean_left, boolean_right) → boolean`
Contains tokens - case insensitive (weaktoktains)	Filter - Returns only those strings including a specific token, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. Create column - Adds a new Boolean column that shows true when a specific token is present in a given string, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token.	`weaktoktains(string1, string2)` `weaktoktains(string1, string2, boolean_left)` `weaktoktains(string1, string2, boolean_left, boolean_right)`
Coordinates distance	Create column - Adds a new column that returns the distance in meters between two geocoords.	`distance(geocoord1, geocoord2) → float` `distance(geocoord(string1), geocoord(string2)) → float` `distance(latlon(string1), latlon(string2)) → float`
Cosine	Create column - Adds a new column that returns the cosine of the values of a numeric field.	`cos(number) → float`
Count	Aggregation - Returns either the number of events in each group (if you add no arguments) or the number of non-null values in each group (if you add an argument).	`count() → integer` `count(number) → integer`
Cube root	Create column - Adds a new column that returns the cube root of the values of a given numeric field.	`cbrt(number) → number`
Day / day of the month	Create column - Returns the duration representation of 1 day (1d), or the day of the month from a given timestamp. Optionally, you can add a timezone different than your current one.	`day() → 1d` `day(timestamp) → integer` `day(timestamp, timezone_string) → integer`
Day name	Create column - Returns the name of the day from a given timestamp. Optionally, you can check it in a time zone different than yours and specify the language in which the day name will appear (en by default).	`dayname(timestamp)` → `integer` `dayname(timestamp, locale_string)` → `string` `dayname(timestamp, locale_string, timezone_string)` → `string`
Day number	Create column - Returns the number of the day in the month from a given timestamp. This count starts from 1, differing from the Day of the month operation, which starts from 0. Optionally, you can check it in a time zone different than yours.	`daynumber(timestamp)` → `integer` `daynumber(timestamp, timezone_string)` →`integer`
Day of the week	Create column - Returns the day of the week from a given timestamp. Optionally, you can add a timezone different than your current one.	`dayofweek(timestamp) → integer` `dayofweek(timestamp, timezone_string) → integer`
Day of the year	Create column - Returns the day of the year from a given timestamp. Optionally, you can add a timezone different than your current one.	`dayofyear(timestamp) → integer` `dayofyear(timestamp, timezone_string) → integer`
Decode, switch	Create column - Conditional operation that evaluates the values in a specified field, verifies if they match a specified value and transform them into a different value in case they do. You can also set an additional value that will be returned when the values don't match. This operation is a conditional control flow statement, but unlike the Conditional (ifthenelse) operation, multiple execution paths are allowed.	`decode(when_field, is_value, transform_to_value)` `decode(when_field, is_value, transform_to_value, otherwise_value)` `decode(when_field, is_value, transform_to_value, is_value2, transform_to_value2...)`
Division	Create column - The new column returns the division of two numbers or the division of a duration and an integer number. When both numbers are integer and the division is not exact, the result will be the value of the quotient.	`number1 \ number2 → integer` `div(number1, number2) → integer` `duration \ integer → duration` `div(duration, integer) → duration`
Division remainder	Create column - Adds a new column that returns the remainder of the division of the integer values in a field by another field or value. The Modulo (mod, %%) operation also returns the remainder of a division, but applies a different formula to calculate it. Go to the operation article to learn more.	`rem(integer1, integer2) → integer` `integer1 % integer2 → integer`
Duration	Create column - Adds a new column that transforms a string representing an amount of time into duration type. The input string must follow a specific format to be transformed. Learn more in the operation article.	`duration(string) → duration`
e (mathematical constant)	Create column - Adds a new column that returns the value of the Euler's number (2.718281828459045).	`e()`
Edit distance: Damerau	Create column - Creates a new column that returns the Damerau edit distance between two strings.	`damerau(string1, string2) → integer`
Edit distance: Hamming	Create column - Creates a new column that returns the Hamming edit distance between two strings.	`hamming(string1, string2) → integer`
Edit distance: Levenshtein	Create column - Creates a new column that returns the Levenshtein edit distance between two strings.	`levenshtein(string1, string2) → integer`
Edit distance: OSA	Create column - Creates a new column that returns the OSA edit distance between two strings.	`osa(string1, string2) → integer`
Ends with	Filter - Filters string values that end with a specified suffix. Create column - Creates a Boolean column that shows true for those strings that end with a specified suffix.	`endswith(string1, string2_suffix) → boolean`
Epoch milliseconds	Create column - Creates a new column that converts a specified timestamp into an epoch reference date: number of milliseconds since midnight Jan 1, 1970. See also the Timestamp (timestamp) function, which transforms epoch dates or strings representing dates into timestamps.	`epoch(timestamp) → integer` `epoch(timestamp(string)) → integer` `epoch(timestamp(integer)) → integer`
Equal	Filter - Compares two values of the same type and returns only the events where both values are exactly the same. Create column - Creates a Boolean column that shows true when two values are exactly the same. This operation is case sensitive. Use Equal - case insensitive (eqic) if you need to apply this operation ignoring case.	`field1 = field2 → boolean` `eq(field1, field2) → boolean`
Equal - case insensitive	Filter - Compares if two strings are the same. It returns only the rows where both values are the same, ignoring case. Create column - Creates a Boolean column that shows true when two strings are exactly the same, ignoring case. Use the Equal (eq, =) operation if you need to discriminate between uppercase and lowercase letters.	`eqic(string1, string2) → boolean`
Ethernet destination MAC address	Create column - Returns the destination MAC address of an Ethernet frame.	`etherdst(packet) → mac`
Ethernet payload	Create column - Returns the payload of an Ethernet frame.	`etherpayload(packet) → boxar(int1)`
Ethernet source MAC address	Create column - Returns the source MAC address of an Ethernet frame.	`ethersrc(packet) → mac`
Ethernet status	Create column - Returns the status of an Ethernet packet.	`etherstatus(packet) → string`
Ethernet tag	Create column - Returns the tag of an Ethernet Frame.	`ethertag(packet) → string`
EtherType	Create column - Returns the EtherType of the Ethernet frame of a packet.	`ethertype(packet) → integer`
Exponential: base e	Create column - Returns the value of the constant e to the power of the values in a specified field.	`exp(number) → float`
First	Aggregation - Returns the first value of a specified column for each group.	`first(field) → value`
First not null	Aggregation - Returns the first non-null value of a specified column for each group.	`nnfirst(field) → value`
Floor	Create column - Rounds the values of a numeric field, returning the largest previous integer values in the new column. Use Ceiling (ceil) if you want to get the smallest following integers.	`floor(number) → number`
Format date	Create column - Format a given timestamp using a custom format, optionally specifying a different time zone and a locale.	`formatdate(timestamp, string_format) → timestamp` `formatdate(timestamp, string_format, string_timezone) → timestamp` `formatdate(timestamp, string_format, string_timezone, string_locale) → timestamp`
Format number	Create column - Converts a number according to a format and an optional locale. It is used to separate the digits following the specified format. The result will be a new column containing the strings formatted as specified, depending on the locale (if set). See the operation article for the syntax accepted for the format pattern and the locale.	`formatnumber(number, string_format) → string` `formatnumber(number, string_format, string_locale) → string`
From base16, b16, hex	Create column - Creates a byte array from a valid hexadecimal (base16) string.	`from16(hex_string) → boxar(int1)`
From base16	Create column - creates an integer from a valid hexadecimal (base16) string.	`hex8(string) → integer`
From base64, b16	Create column - Creates a byte array from a valid base64 string.	`from64(base64_string) → boxar(int1)`
From UTF8	Create column - Returns an UTF8 string from the given byte array.	`fromutf8(boxar(int1`)`) → string` `fromutf8(from16`(`string`)`) → string` `fromutf8(mkboxar`(`integer`)`) → string`
From Z85, base85	Create column - Creates a byte array from a valid Z85 string.	`fromz85(Z85_string) → boxar(int1)`
Geocoord	Create column - Generates a geocoord from the given string, which must be either the representation of sexagesimal coordinates, using degrees, minutes, seconds and position (for example 40°24'46.3"N 3°41'43.8"W) or a hash representation of coordinates (for example ezjmguvj)	`geocoord(string) → geocoord`
Geographic coordinate system	Create column - Returns the coordinate system of a given geocoord.	`coordsystem(geocoord) → string` `coordsystem(geocoord(string)) → string`
Geohash	Create column - Generates a geohash from a given geocoord, or converts a string representing a geohash to geohash format. If you enter a geocoord as input, you can optionally select the size of the output geohash.	`geohash(string) → geocoord` `geohash(geocoord) → geocoord` `geohash(geocoord, size_integer) → geocoord` `geohash(geocoord(string) → geocoord` `geohash(geocoord(string), size_integer) → geocoord`
Geohash string	Create column - Transforms a given geohash in geocoord data type into string data type. You can optionally select the size of the output string.	`geohashstr(geocoord) → string` `geohashstr(geocoord, size_integer) → string`
Geolocated Accuracy Radius with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the accuracy radius, in km, around the latitude and longitude with a 67% confidence, using MaxMind IP geolocation.	`mm2accuracyradius(ip) → float` `mm2accuracyradius(ip6) → float`
Geolocated AS Organization Name with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the organization associated with the registered autonomous system number, using MaxMind IP geolocation.	`mm2asorg(ip) → string` `mm2asorg(ip6) → string`
Geolocated AS owner	Create column - Geolocates an IPv4 address and returns its corresponding AS (autonomous system) owner name.	`mmasowner(ip) → string`
Geolocated ASN	Create column - Geolocates an IPv4 address and returns the ASN (autonomous system number).	`mmasn(ip) → integer`
Geolocated ASN with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the autonomous system number, using MaxMind IP geolocation.	`mm2asn(ip) → integer` `mm2asn(ip6) → integer`
Geolocated City	Create column - Geolocates an IPv4 address and returns the corresponding city name.	`mmcity(ip) → string`
Geolocated City with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the corresponding city name, using MaxMind IP geolocation.	`mm2city(ip) → string` `mm2city(ip6) → string`
Geolocated Connection Speed	Create column - Geolocates an IPv4 address and returns the corresponding connection speed category.	`mmspeed(ip) → string`
Geolocated connection type with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the connection type, using MaxMind IP geolocation. The possible connection type values are Dialup, Cable/DSL, Corporate or Cellular.	`mm2con(ip) → string` `mm2con(ip6) → string`
Geolocated Coordinates	Create column - Geolocates an IPv4 address and returns its coordinates.	`mmcoordinates(ip) → geocoord`
Geolocated coordinates with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns its coordinates, using MaxMind IP geolocation.	`mm2coordinates(ip) → geocoord` `mm2coordinates(ip6) → geocoord`
Geolocated Country	Create column - Geolocates an IPv4 address and returns the corresponding country code.	`mmcountry(ip) → string`
Geolocated Country with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the corresponding country name (as a two-character ISO 3166-1 code), using MaxMind IP geolocation.	`mm2country(ip) → string` `mm2country(ip6) → string`
Geolocated ISP	Create column - Geolocates an IPv4 address and returns the corresponding ISP name.	`mmisp(ip) → string`
Geolocated ISP name with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns its ISP name (Internet Server Provider), using MaxMind IP geolocation.	`mm2isp(ip) → string` `mm2isp(ip6) → string`
Geolocated Latitude	Create column - Geolocates an IPv4 address and returns its corresponding latitude.	`mmlatitude(ip) → float`
Geolocated Latitude with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the approximate latitude, using MaxMind IP geolocation.	`mm2latitude(ip) → string` `mm2latitude(ip6) → string`
Geolocated Level 1 Subdivision with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the level 1 subdivision or region name using MaxMind IP geolocation.	`mm2subdivision1(ip) → string` `mm2subdivision1(ip6) → string`
Geolocated Level 2 Subdivision with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the level 2 subdivision or region name using MaxMind IP geolocation.	`mm2subdivision2(ip) → string` `mm2subdivision2(ip6) → string`
Geolocated Longitude	Create column - Geolocates an IPv4 address and returns the corresponding longitude.	`mmlongitude(ip) → float`
Geolocated Longitude with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the approximate longitude, using MaxMind IP geolocation.	`mm2longitude(ip) → float` `mm2longitude(ip6) → float`
Geolocated Organization	Create column - Geolocates an IPv4 address and returns the corresponding organization name.	`mmorg(ip) → string`
Geolocated organization name with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the organization name, using MaxMind IP geolocation.	`mm2org(ip) → string` `mm2org(ip6) → string`
Geolocated Postal Code	Create column - Geolocates an IPv4 address and returns the corresponding postal code.	`mmpostalcode(ip) → string`
Geolocated Postal Code with MaxMind GeoIP2	Create column - Geolocates an IPv4 or IPv6 address and returns the postal code, using MaxMind IP geolocation.	`mm2postalcode(ip) → string` `mm2postalcode(ip6) → string`
Geolocated Region	Create column - Geolocates an IPv4 address and returns the corresponding region code.	`mmregion(ip) → string`
Geolocated Region Name	Create column - Geolocates an IPv4 address and returns the corresponding region name.	`mmregionname(ip) → string`
Glob pattern on names	Create column - Creates a glob pattern on names (namepattern data type). Glob patterns specify sets of filenames with wildcard characters and are required when using the Any name matches operation	`nameglob(string) → namepattern`
Greater or equal	Filter - Filters those events where a value is greater than or equal to either another field of the same data type or a specified value. Create column - Creates a Boolean column that shows true when a value is greater than or equal to either another field of the same data type or a specified value.	`value1 >= value2 → boolean` `ge(value1, value2) → boolean`
Greater than	Filter - Filters those events where a value is greater than either another field of the same data type or a specified value. Create column - Creates a Boolean column that shows true when a value is greater than either another field of the same data type or a specified value.	`value1 > value2 → boolean` `gt(value1, value2) → boolean`
Has Ethernet frame	Create column - Creates a Boolean column that shows true if a specified packet has an Ethernet frame.	`hasether(packet) → boolean`
Has IPv4 datagram	Create column - Creates a Boolean column that shows true if a specified packet has an IPv4 datagram.	`hasip4(packet) → boolean`
Has TCP segment	Create column - Creates a Boolean column that shows true if a specified packet has a TCP segment.	`hastcp(packet) → boolean`
Has UDP datagram	Create column - Creates a Boolean column that shows true if a specified packet has a UDP datagram.	`hasudp(packet) → boolean`
Hostname public suffix	Create column - Extracts the public suffix from the hostnames in a given string field.	`publicsuffix(string) → string`
Hostname root domain	Create column - Extracts the root domain from the hostnames in a given string field.	`rootdomain(string) → string`
Hostname root prefix	Create column - Extract the root prefix from the hostnames in a given string field. A root prefix includes everything that comes before the root domain, including it.	`rootprefix(string) → string`
Hostname root suffix	Create column - Extract the root suffix from the hostnames in a given string field. A root suffix includes everything that comes after the root domain, including it.	`rootsuffix(string) → string`
Hostname subdomains	Create column - Extract the subdomain from the hostnames in a given string field.	`subdomain(string) → string`
Hostname top level domain	Create column - Extracts the top-level domain (TLD) from the hostnames in a given string field.	`topleveldomain(string) → string`
Hour	Create column - Returns the duration representation of 1 hour, or the hours corresponding to a given timestamp. Optionally, you can add a timezone different than your current one.	`hour() →` `1h` `hour(timestamp) → duration` `hour(timestamp, timezone_string) → duration`
HTTP Status Description	Create column - Returns the HTTP status description from a given HTTP status code.	`httpstatusdescription(integer) → string`
HTTP Status Type	Create column - Returns the HTTP status type from a given HTTP status code.	`httpstatustype(integer) → string`
Human size	Create column - Converts a number into a human-readable format, using a binary prefix by default. Optionally, you can add a second boolean argument to specify the required format (true is for binary prefix (2x) and false for decimal prefix (10x).	`humanSize(integer) → string` `humanSize(integer, boolean) → string`
Hyperbolic cosine	Create column - Returns the hyperbolic cosine of the specified number.	`cosh(number) → float`
Hyperbolic sine	Create column - Returns the hyperbolic sine of the specified number.	`sinh(number) → float`
Hyperbolic tangent	Create column - Returns the hyperbolic tangent of the specified number.	`tanh(number) → float`
HyperLogLog++	Aggregation - Applies the HyperLogLog++ algorithm to the groups of a specified field, which is used to calculate the estimated count of distinct elements in each group. The output data type is dc (distinct count). This operation returns the same results as the HyperLogLog++ Count Estimation (hllppcount) operation, the only difference is the output data type.	`hllpp(field) → dc`
HyperLogLog++ Count Estimation	Aggregation - Applies the HyperLogLog++ algorithm to the groups of a specified field, which is used to calculate the estimated count of distinct elements in each group. The output data type is float. This operation returns the same results as the HyperLogLog++ operation, the only difference is the output data type.	`hllppcount(field) → float`
HyperLogLog++ pack	Create column - Transforms a byte array of data type dc to a hexadecimal string of data type boxar(int1)	`pack(dc) → boxar(int1)`
HyperLogLog++ unpack	Create column - Transforms a hexadecimal string of data type boxar(int1) into a byte array of data type dc.	`unpackhllpp(boxar(int1)) → dc`
IP Protocol	Create column - Converts an IP protocol name to its protocol code or vice versa.	`ipprotocol(protocol_name_string) → integer` `ipprotocol(protocol_code_integer) → string`
IP Reputation Score	Create column - Assigns a reputation score to an IPv4 address according to several IP reputation lists.	`reputationscore(ip) → integer`
IP Reputation Tags	Create column - Labels an IPv4 address according to several IP reputation lists.	`reputation(ip) → string`
IPv4 destination address	Create column - Returns the destination IPv4 address of a specified IPv4 datagram (packet data type).	`ip4dst(packet) → ip`
IPv4 differentiated services	Create column - Returns the Differentiated Services Code Point (DSCP) of a specified IPv4 datagram (packet data type).	`ip4ds(packet) → integer`
IPv4 explicit congestion notification	Create column - Returns the Explicit Congestion Notification (ECN) of a specified IPv4 datagram (packet data type).	`ip4ecn(packet) → integer`
IPv4 flags	Create column - Returns the flag value of a specified IPv4 datagram (packet data type).	`ip4flags(packet) → integer`
IPv4 fragment offset	Create column - Returns the fragment offset of a specified IPv4 datagram (packet data type).	`ip4fragment(packet) → integer`
IPv4 header checksum	Create column - Returns the header of a specified IPv4 datagram (packet data type).	`ip4cs(packet) → integer`
IPv4 header length	Create column - Returns the Internet header length (IHL) of a specified IPv4 datagram (packet data type).	`ip4hl(packet) → integer`
IPv4 identification	Create column - Returns the identification field value of a specified IPv4 datagram (packet data type).	`ip4ident(packet) → integer`
IPv4 legal use	Create column - Returns the purpose or legal use of the given IPv4 address.	`purpose(ip) → integer`
IPv4 payload	Create column - Returns the payload of a specified IPv4 datagram (packet data type).	`ip4payload(packet) → boxar(int1)`
IPv4 protocol	Create column - Returns the protocol field value of a specified IPv4 datagram (packet data type).	`ip4proto(packet) → integer`
IPv4 source address	Create column - Returns the source IPv4 address of a specified IPv4 datagram (packet data type).	`ip4src(packet) → ip`
IPv4 status	Create column - Returns the status of a specified IPv4 datagram (packet data type).	`ip4status(packet) → string`
IPv4 time to live	Create column - Returns the time to live (TTL) value in seconds of a specified IPv4 datagram (packet data type).	`ip4ttl(packet) → integer`
IPv4 total length	Create column - Returns the total length field value of a specified IPv4 datagram (packet data type).	`ip4len(packet) → integer`
IPv4 type of service	Create column - Returns the type of service field value of a specified IPv4 datagram (packet data type).	`ip4tos(packet) → integer`
IPv6 host number	Create column - Returns the host number of an IPv6 address.	`host(ip6) → integer`
IPv6 routing number	Create column - Returns the routing part of an IPv6 address.	`routing(ip6) → integer`
Is empty	Filter - Checks if a given string is empty. Create column - Adds a new Boolean column that shows true only for those strings that are empty.	`isempty(string) → boolean`
Is in	Filter - Checks for the presence of one or more values in a given string. The filter will identify those strings containing at least one of the indicated values. You can also use it to filter IPv4 addresses that belong to a specific net. Create column - Adds a new Boolean column that shows true only for those strings that contain at least one of the indicated values. You can also use it to create a new column that shows true for IPv4 addresses that belong to a specific net. If you enter your query using LINQ, note that the `<-` operator syntax does not admit more than two arguments. Use the `in`() syntax if you need to add more than one value. This operation is case sensitive. Use the Is in - case insensitive (weakin) operation if you need to apply this filter ignoring case.
Is in - case insensitive	Filter - Returns only those strings that contain a specified value, ignoring case. Create column - Creates a Boolean column that shows true only for those strings that contain a specified value, ignoring case. Use the Is in (`in`, <-) operation if you need to discriminate between uppercase and lowercase letters.	`weakin(string_value, string_general) → boolean`
Is IPv4	Create column - Creates a Boolean column that returns true if a specified IPv6 is carrying an IPv4.	`isip4(ip6) → boolean`
Is not null	Filter - Filters non-null values in a given column. Create column - Creates a Boolean column that shows true if a given value is not null.	`isnotnull(field) → boolean`
Is null	Filter - Filters null values in a given column. Create column - Creates a Boolean column that shows true if a given value is null.	`isnull(field) → boolean`
Is Private IPv4	Filter - Returns only the private IP addresses of a selected ip column. Create column - Creates a Boolean column that shows true if a given IP address is private.	`isprivate(ip) → boolean`
Is Public IPv4	Filter - Returns only the public IP addresses of a selected ip column. Create column - Creates a Boolean column that shows true if a given IP address is public.	`ispublic(ip) → boolean`
ISO-3166-1 Continent Alpha-2 Code	Create column - Returns the ISO-3166-1 Continent Alpha-2 Code from any continent identification.	`continentalpha2(continent_string) → string`
ISO-3166-1 Continent Name	Create column - Returns the ISO-3166-1 Continent Name from any continent identification.	`continentname(continent_string) → string`
ISO-3166-1 Country Alpha-2 Code	Create column - Returns the ISO-3166-1 Country Alpha-2 Code from any country identification.	`countryalpha2(country_string) → string`
ISO-3166-1 Country Alpha-2 Continent	Create column - Returns the ISO-3166-1 Country Alpha-2 Continent from any country identification.	`countrycontinent(country_string) → string`
ISO-3166-1 Country Alpha-3 Code	Create column - Returns the ISO-3166-1 Country Alpha-3 Code from any country identification.	`countryalpha3(country_string) → string`
ISO-3166-1 Country Latitude	Create column - Returns the ISO-3166-1 Country Latitude from any country identification.	`countrylatitude(country_string) → float`
ISO-3166-1 Country Longitude	Create column - Returns the ISO-3166-1 Country Longitude from any country identification.	`countrylongitude(country_string) → float`
ISO-3166-1 Country Name	Create column - Returns the ISO-3166-1 Country Name from any country identification.	`countryname(country_string) → string`
Jq evaluation	Create column - Uses the jq JSON processor to identify and extract a single value from a JSON object contained in another column.	`jqeval(jqcompile(json_value), json) → json`
Jq filter compilation	Create column - Compiles a jq filter to be used as an argument of the Jq evaluation (jqeval) operation.	`jqcompile(string) → jq`
Json value type	Create column - Returns the type of the values in a JSON object. Note that you must first extract the part of the JSON you want to analyze using the Jq evaluation (jqeval) operation.	`label(json_value) → string`
Last	Aggregation - Returns the last value of the selected field for each group.	`last(field) → value`
Last not null	Aggregation - Returns the last non-null value of the selected field for each group.	`nnlast(field) → value`
Latitude	Create column - Returns the latitude of a given geocoord.	`latitude(geocoord) → float`
Latitude and longitude coordinates	Create column - Generates a geocoord based on sexagesimal coordinates. It can be done using latitude and longitude numerical values, another geocoord or a string representing coordinates.	`latlon(latitude_float, longitude_float) → geocoord` `latlon(geocoord) → geocoord` `latlon(coordinates_string) → geocoord`
Leap year	Create column - Checks if the year corresponding to a given timestamp is a leap year or not. Optionally, you can check it in a timezone different than yours.	`isleapyear(timestamp)` → `string` `isleapyear(timestamp, timezone_string)` → `string`
Length	Create column - Adds a new column that returns the length of a string.	`length(string) → integer`
Less or equal	Filter - Filters those events where a value is less than or equal to either another field of the same data type or a specified value. Create column - Creates a Boolean column that shows true when a value is less than or equal to either another field of the same data type or a specified value.	`value1 <= value2 → boolean` `le(value1, value2)` `→ boolean`
Less than	Filter - Filters those events where a value is less than either another field of the same data type or a specified value. Create column - Creates a Boolean column that shows true when a value is less than either another field of the same data type or a specified value.	`value1 < value2 → boolean` `lt(value1, value2) → boolean`
Locate	Create column - The column created returns the position of the first occurrence of a specified value in a string, counting from 0. Note that this operation is case sensitive.	`locate(string, string_to_locate) → integer`
Logarithm: base 10	Create column - Returns the base-10 logarithm of the selected number.	`log10(number) → float`
Logarithm: base 2	Create column - Returns the base-2 logarithm of the selected number.	`log2(number) → float`
Logarithm: natural / arbitrary base	Create column - Returns the base-e logarithm of the selected number. Optionally, you can add a second argument to calculate the log base x of a given number.	`log(number) → float` `log(base_number, number) → float`
Longitude	Create column - Returns the longitude of a given geocoord.	`longitude(geocoord) → float`
Lower case	Create column - Adds a new column that converts a string to lowercase letters.	`lower(string) → string`
Make byte array	Create column - Creates a byte array from the given integer values (one or more).	`mkboxar(integer1, integer2, integer3...) → boxar(int1)`
Matches	Filter - Returns those strings that match an indicated regular expression. Create column - Adds a new Boolean column that shows true when a string matches an indicated regular expression. Note that when you enter a string value as a regular expression using LINQ, you have to transform it to regexp format using the Regular expression, regexp (re) operation, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface.	`string ~ re(string) → boolean` `string ~ regexp → boolean` `matches(string, re(string)) → boolean` `matches(string, regexp) → boolean`
Maximum	Aggregation - Returns the highest value of the selected field in each group Create column - Creates a column that shows the highest value in two or more numeric fields or values. See also Minimum (min)	`max(number)` `→ number` This format is only valid if you use the Aggregation operation, that is to say, you must group your data before using it. `max(number1, number2, number3...) → number`
MD5 hash function	Create column - Creates an MD5 hash as a byte array of the given string.	`md5(string) → boxar(int1)`
Median / 2nd quartile / Percentile 50	Aggregation - Returns the median of the values of the selected field in each group.	`median(integer) → integer`
Millisecond	Create column - Returns the duration representation of 1 millisecond, or the milliseconds corresponding to a given timestamp. Optionally, you can add a timezone different than your current one.	`millisecond() →` `1` `millisecond(timestamp) → integer` `millisecond(timestamp, timezone_string) → integer`
Minimum	Aggregation - Returns the lowest value of the selected field in each group. Create column - Creates a column that shows the lowest value in two or more numeric fields or values. See also Maximum (max)	`min(number)` `→ number` This format is only valid if you use the Aggregation operation, that is to say, you must group your data before using it. `min(number1, number2, number3...) → number`
Minute	Create column - Returns the duration representation of 1 minute, or the minutes corresponding to a given timestamp. Optionally, you can add a timezone different than your current one.	`minute() →` `1m` `minute(timestamp) → integer` `minute(timestamp, timezone_string) → integer`
Minute of the day	Create column - Returns the number of minutes elapsed since midnight of the given timestamp. Optionally, you can check it in a time zone different than yours.	`minuteofday(timestamp)` → `integer` `minuteofday(timestamp, timezone_string)` → `integer`
Modulo	Create column - Adds a new column that returns the remainder of the division of the integer values in a field by another field or value. Note that the divisor must be always a positive integer value, otherwise a null value will be returned. The Division remainder (rem, %) operation also returns the remainder of a division, but applies a different formula to calculate it. Go to the operation article to learn more.	`mod(integer1, integer2) → integer` `integer1 %% integer2 → integer`
Month	Create column - Returns the month from a given timestamp. Optionally, you can add a timezone different than your current one.	`month(timestamp) → integer` `month(timestamp, timezone_string) → integer`
Month name	Create column - Returns the name of the month from a given timestamp. Optionally, you can check it in a time zone different than yours and specify the language in which the month name will appear (en by default).	`monthname(timestamp)` → `string` `monthname(timestamp, locale_string)` → `string` `monthname(timestamp, locale_string, timezone_string)` → `string`
Month number	Create column - Returns the number of the month in the year from a given timestamp. This count starts from 1, differing from the Month operation, which starts from 0. Optionally, you can check it in a time zone different than yours.	`monthnumber(timestamp)` → `integer` `monthnumber(timestamp, timezone_string)` → `integer`
Multiplication, product	Create column - Creates a column that returns the product of two or more numbers or the product of an integer number and a duration.	`number1 * number2 * number3... → number` `mul(number1, number2, number3...) → number` `integer * duration → duration` `mul(integer, duration) → duration`
Non-null average	Aggregation - Calculates the average of the non-null values of the selected field in each group.	`nnavg(number) → number`
Non-null standard deviation (biased)	Aggregation - Calculates the biased standard deviation of the non-null values of the selected field in each group.	`nnstddev(number) → number`
Non-null standard deviation (unbiased)	Aggregation - Calculates the unbiased standard deviation of the non-null values of the selected field in each group.	`nnustddev(number) → number`
Non-null variance (biased)	Aggregation - Calculates the biased variance of the non-null values of the selected field in each group.	`nnvar(number) → number`
Non-null variance (unbiased)	Aggregation - Calculates the unbiased variance of the non-null values of the selected field in each group.	`nnuvar(number) → number`
Not	Filter - Returns only the rows where the values in a specified Boolean column are false. Create column - Creates a Boolean column that returns the complement of the values in another Boolean column (the complement of true is false and vice versa).	`not boolean → boolean`
Not equal	Filter - Compares two values of the same type and returns only the events where both values are not the same. Create column - Creates a Boolean column that shows true when two values are not the same. This operation is case sensitive, so same values in lowercase and uppercase will be considered as not equal.	`value1 /= value2 → value` `ne(value1, value2) → value`
Null value locator	Create column - Adds a new column that returns the value specified as the second argument if the first one is null.	`nvl(field_to_check, value_when_null) → value`
Opaque URI	Filter - Retrieves only opaque URIs from a specified field. Create column - Creates a Boolean column that shows true if a given URI is opaque.	`opaqueuri(string) → boolean`
Or	Filter - Retrieves those events where at least one of the given Boolean column values is true. Create column - Creates a Boolean column that returns true only if and only if one of the given arguments are true.	`boolean1 or boolean2 or ... → boolean`
Parse date	Create column - Parses a string representing a date using a custom format, optionally specifying time zone and locale different than your current ones. See the operation article to check the format that the values entered must follow.	`parsedate(string_to_be_parsed, format_string) → string` `parsedate(string_to_be_parsed, format_string, time_zone_string) → string` `parsedate(string_to_be_parsed, format_string, time_zone_string, locale_string) → string`
Parse geocoord format	Create column - Parses a string representing a geocoord in a strict format (type:), as produced by the Represent geocoord format (reprgeo) operation. If the format is not valid, the result of the parsing will be null.	`parsegeo(string) → string`
Peek	Create column - The new column returns the part of a string that matches a given regular expression. Optionally, you can add a capturing group to get a specific substring in case of several matches (being the capturing group 0 the first occurrence ) Note that when you enter a string value as a regular expression using LINQ, you have to transform it to regexp format using the Regular expression, regexp (re) operation, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface.	`peek(string, re(string)) → string` `peek(string, regexp) → string` `peek(string, re(string), capturing_group_integer) → string` `peek(string, regexp, capturing_group_integer) → string`
Percentile 10	Aggregation - Returns the maximum value of the 10th percentile of the values in the selected group for each group, using linear interpolation.	`percentile10(integer) → integer`
Percentile 25 / 1st quartile	Aggregation - Returns the maximum value of the 25th percentile of the values in the selected group for each group, using linear interpolation.	`percentile25(integer) → integer`
Percentile 5	Aggregation - Returns the maximum value of the 5th percentile of the values in the selected group for each group, using linear interpolation.	`percentile5(integer) → integer`
Percentile 75 / 3rd quartile	Aggregation - Returns the maximum value of the 75th percentile of the values in the selected group for each group, using linear interpolation.	`percentile75(integer) → integer`
Percentile 90	Aggregation - Returns the maximum value of the 90th percentile of the values in the selected group for each group, using linear interpolation.	`percentile90(integer) → integer`
Percentile 95	Aggregation - Returns the maximum value of the 95th percentile of the values in the selected group for each group, using linear interpolation.	`percentile95(integer) → integer`
Period	Create column - Aligns a given timestamp to a specific duration or milliseconds value, considering the UTC value of the timestamp.	`period(timestamp, duration) → timestamp` `period(timestamp, integer) → timestamp`
Pi (mathematical constant)	Create column - Adds a new column that returns the number Pi (3.141592653589793).	`pi()`
Power	Create column - Creates a column that returns the base specified raised to the power of an exponent.	`pow(number_base, number_exponent) → number`
Pragma value	Create column -Extracts the pragma value from a given query.	`pragmavalue(language_string, query_string, pragma_key_string) → string`
Real division	Create column - Creates a column that returns the real division of two numbers.	`rdiv(number1, number2) → number` `number1 / number2 → number`
Regular expression, regexp	Create column - Builds a regular expression from the given string pattern.	`re(string) → regexp`
Replace all	Create column - Searches for a value in a given string and returns a new string where all the occurrences (if any) are replaced by another indicated value.	`replaceall(string, string_to_search, string_to_replace) → string`
Replace first	Create column - Searches for a value in a given string and returns a new string where only the first occurrence (if any) is replaced by another indicated value.	`replace(string, string_to_search, string_to_replace) → string`
Represent geocoord format	Create column - Strict string representation of the given geocoord, in a specific format (type:), where type is the geocoord type.	`reprgeo(geocoord) → geocoord` `reprgeo(geocoord(string)) → geocoord`
Reverse	Create column - Reverses the contents of a string or boxarint.	`reverse(string) → string` `reverse(boxar(int1)) → string`
Round coordinates	Create column - Rounds geo-coordinates according to a grid divided depending on the given latitude and longitude precision (in degrees), or to a uniform grid with a specified number of divisions.	`gridlatlon(geocoord, latitude_float, longitude_float) → geocoord` `gridlatlon(geocoord, grid_size_integer) → geocoord`
Rounding	Create column - Adds a new column that rounds the given number to the nearest integer or, if indicated, to a specified number of decimal places. Use Floor (floor) if you want to get the largest previous integers, and Ceiling (ceil) to round to the smallest following integers.	`round(number) → number` `round(number, integer_decimals) → number`
Second	Create column - Returns the duration representation of 1 second, or the seconds from a given timestamp. Optionally, you can add a timezone different than your current one.	`second() →` `1s` `second(timestamp) → integer` `second(timestamp, timezone_string) → integer`
Second of the day	Create column - Returns the number of seconds elapsed since midnight of the given timestamp. Optionally, you can check it in a time zone different than yours.	`secondofday(timestamp)` → `integer` `secondofday(timestamp, timezone_string)` → `integer`
SHA1 hash function	Create column - Adds a new column that returns the SHA1 hash as a byte array of the given string.	`sha1(string) → boxar(int1)`
SHA256 hash function	Create column - Adds a new column that returns the SHA256 hash as a byte array of the given string.	`sha256(string) → boxar(int1)`
SHA512 hash function	Create column - Adds a new column that returns the SHA512 hash as a byte array of the given string.	`sha512(string) → boxar(int1)`
Shannon entropy	Create column - The new column returns the Shannon entropy of a given string.	`shannonentropy(string) → float`
Sign	Create column - The new column represents the sign of the specified numbers, represented as 1 (positive) or -1 (negative). Zero values will return 0.	`signum(number) → integer`
Sine	Create column - Adds a new column that calculates the sine of the selected number.	`sin(number) → float`
Split	Create column - Splits a string by a given literal separator and returns only the selected piece (counting from 0).	`split(string, separator_string, piece_integer) → string`
Split regexp	Create column - Splits a string by a given regular expression and returns only the selected piece (counting from 0). Note that when you enter a string value as a regular expression using LINQ, you have to transform it to regexp format using the Regular expression, regexp (re) operation, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface.	`splitre(string, re(string), piece_integer) → string` `splitre(string, regexp, piece_integer) → string`
Square root	Create column - The new column returns the square root of the values in a numeric field.	`sqrt(number) → float`
Squid Black Lists Flags	Create column - Labels a domain according to Squid Black Lists. If the domain is not included in the blacklist, the column will show no data.	`sbl(domain_string) → string`
Standard deviation (biased)	Aggregation - Calculates the biased standard deviation of the values in the groups of the selected field.	`stddev(number) → number`
Standard deviation (unbiased)	Aggregation - Calculates the unbiased standard deviation of the values in the groups of the selected field.	`ustddev(number) → number`
Starts with	Filter - Filters string values that start with a specified prefix. Create column - Creates a Boolean column that shows true for those strings that start with a specified suffix.	`startswith(string1, string2_prefix) → boolean`
Substitute	Create column - Replace the first match of a regular expression in a given string and replaces it by an indicated pattern in template format. If no occurrence is found, it returns the original expression or an optional specified value. Note that when you enter a string value as a regular expression and template using LINQ, you have to transform them to regexp and template format using the Regular expression, regexp (re) and Template (template) operations, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface.	`subs(string, re(string), template(string)) → string` `subs(string, re(string), template(string), fail_value_string) → string` `subs(string, regexp, template) → string` `subs(string, regexp, template, fail_value_string) → string`
Substitute all	Create column - Replace all the matches of a regular expression in a given string and replaces them by an indicated pattern in template format. If no occurrence is found, it returns the original expression or an optional specified failed value. Note that when you enter a string value as a regular expression and template using LINQ, you have to transform them to regexp and template format using the Regular expression, regexp (re) and Template (template) operations, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface.	`subsall(string, re(string), template(string)) → string` `subsall(string, re(string), template(string), fail_value_string) → string` `subsall(string, regexp, template) → string` `subsall(string, regexp, template, fail_value_string) → string`
Substring	Create column - Extracts a substring from a given string, indicating a starting character. Optionally, you can indicate the length of the substrings. If the length is not specified, you will get all the characters from the starting point indicated.	`substring(string, starting_position_integer) → string` `substring(string, starting_position_integer, length_integer) → string`
Subtraction, minus / Additive inverse	Create column - Adds a new column that returns the subtraction of two fields or the additive inverse (opposite number) of the values in a given column. Depending on the input data types, this operation retrieves different results. See the operation article for more details.	`- number → number` `- duration → duration` `number1 - number2 → number` `duration1 - duration2 → duration` `timestamp1 - timestamp2 → duration` `timestamp - duration → timestamp` `sub(number) → number` `sub(duration) → duration` `sub(number1, number2) → number` `sub(duration1, duration2) → duration` `sub(timestamp1, timestamp2) → duration` `sub(timestamp, duration) → timestamp`
Sum	Aggregation - Returns the total sum of the values of the selected numeric field in each group.	`sum(number) → number`
Sum Square	Aggregation - Returns the total sum of squares of the values of the selected numeric field in each group.	`sum2(number) → number`
Table name	Create column - Creates a new column that extracts the table name from a specified query, given its language.	`tablename(language_string, query_string) → string`
Tangent	Create column - Adds a new column that calculates the tangent of a selected number.	`tan(number) → float`
TCP ACK	Create column - Returns the acknowledgment number (ACK) of a TCP segment.	`tcpack(packet) → integer`
TCP checksum	Create column - Returns the checksum value of a TCP segment.	`tcpcs(packet) → integer`
TCP destination port	Create column - Returns the destination port of a TCP segment.	`tcpdst(packet) → integer`
TCP flags	Create column - Returns the flags or control bits value of a TCP segment.	`tcpflags(packet) → integer`
TCP header length	Create column - Returns the header length or data offset of a TCP segment. The minimum length is 5 words (20 bytes) and the maximum is 15 words (60 bytes).	`tcphl(packet) → integer`
TCP payload	Create column - Returns the payload or data section of a TCP segment.	`tcppayload(packet) → boxar(int1)`
TCP sequence number	Create column - Returns the sequence number of a TCP segment.	`tcpseq(packet) → boxar(int1)`
TCP source port	Create column - Returns the source port of a TCP segment. This value identifies the sending port.	`tcpsrc(packet) → integer`
TCP status	Create column - Returns the status of a TCP packet.	`tcpstatus(packet) → string`
TCP urgent pointer	Create column - Returns the urgent pointer of a TCP segment. If the URG flag is set, this field is an offset from the sequence number indicating the last urgent data byte.	`tcpurg(packet) → integer`
TCP window size	Create column - Returns the received window size of a TCP segment. This field specifies the number of bytes that the sender of the segment is currently willing to receive.	`tcpwin(packet) → integer`
Template	Create column - Builds a template from the given string definition. A template is a replacement string (in template data type) that also admits capturing groups (for example \1 will use the capturing group 1 as a template). You can use the templates generated using this operation in the Substitute (subs) and Substitute all (subsall) operations.	`template(string) → template`
Timestamp	Create column - Converts an integer or a valid string (epoch) into normal date format in timestamp data type. The string valid format should be Year-Month-Day Hour:Minute:Second.Millisecond, where all the fields are numbers. Epoch date should be in milliseconds. See also the epoch function.	`timestamp(number) → timestamp`
To base16, b16, hex	Create column - Returns a hexadecimal (base16) string from the given byte array.	`to16(boxar(int1)) → string`
To base16	Create column - Converts an integer to its corresponding hexadecimal number (base 16).	`hex(integer) → string`
To base64, b16, hex	Create column - Returns a base64 string from the given byte array.	`to64(boxar(int1)) → string`
To BigInt	Create column - Converts a valid number string, a float number, an int, a json that contains a valid number, or a MAC address into a big integer number. Note that float numbers are not rounded, so the result will be the integral part. You can also extract an integer value from a json (json data type) using the Jq evaluation (jqeval) operation and convert it into integer type.	`bigint(number_string) → integer` `bigint(float) → integer` `bigint(mac) → integer` `bigint(json_integer) → integer`
To boolean	Create column - Transforms the JSON objects in a specified json field into boolean data type. Note that you must first extract a part of the JSON that represents a Boolean value (true, false) using the Jq evaluation (jqeval) operation.	`bool(json_boolean) → boolean`
To Float	Create column - Converts a valid number string or an integer into a float number. You can also extract a float value from a json (json data type) using the Jq evaluation (jqeval) operation and convert it into float type.	`float(number_string) → float` `float(integer) → float` `float(json_float) → float`
To image	Create column - Converts a Base64 string into an image. The string values specified must always be preceded by the pattern extension;base64; where extension is the file extension of the image (for example png, jpg...). For example: png;base64;4AAQskZg...	`image(base64_string) → image`
To Int	Create column - Converts a valid number string, a float number or a MAC address into an integer number. Note that float numbers are not rounded, so the result will be the integral part. You can also extract an integer value from a json (json data type) using the Jq evaluation (jqeval) operation and convert it into integer type.	`int(number_string) → integer` `int(float) → integer` `int(mac) → integer` `int(json_integer) → integer`
To IPv4	Create column - Converts an integer or a string representing an IPv4 address into an IPv4 address in ip data type.	`ip4(ipv4_string) → ip` `ip4(ipv4_integer) → ip`
To IPv4 net	Create column - Converts a string or integer representing an IPv4 network into net4 data type.	`net4(net4_string) → net4` `net4(net4_integer) → net4`
To IPv6 (compatible)	Create column - Converts an IPv4 address into an IPv4-compatible IPv6 address.	`compatible(ip) → ip6`
To IPv6	Create column - Converts a string representing an IPv4 address or an IPv4 address in ip data type into an IPv6 address	`ip6(ipv4_string) → ip6` `ip6(ip) → ip6`
To IPv6 (mapped)	Create column - Converts an IPv4 address into an IPv4-mapped IPv6 address.	`mapped(ip) → ip6`
To IPv6 (translated)	Create column - Converts an IPv4 address into an IPv4-translated IPv6 address.	`translated(ip) → ip6`
To IPv6 net	Create column - Converts a string representing an IPv6 network address into net6 data type.	`net6(ipv4_string) → net6`
To json	Create column - Converts a field of string data type to json data type. The json data type is required as an input argument for the Jq evaluation (jqeval) operation.	`jsonparse(string) → json`
To MAC address	Create column - Converts a valid string or integer into a MAC address.	`mac(``string) → mac` `mac(``integer) → mac`
To string (str)	Create column - Converts an integer, float, timestamp, ip, geocoord or mac type value into string data type. You can also extract a string value from a json (json data type) using the Jq evaluation (jqeval) operation and convert it into string type.	`str(field) → string` `str(json_string) → string`
To string (stringify)	Create column - Converts a JSON object (json data type) into string data type.	`stringify(json) → string`
To UTF8	Create column - Creates a byte array from a UTF8 string.	`toutf8(utf8_string) → boxar(int1)`
To Z85, base85	Create column - Returns a Z85 string from the given byte array.	`toz85(boxar(int1)) → string`
Today	Create column - Returns the start time of the current day, considering your current time zone. Optionally, you can add a timezone different than your current one.	`today() →` `timestamp` `today(timezone_string) → timestamp`
Tomorrow	Create column - Returns the start time of the following day, considering your current time zone. Optionally, you can add a timezone different than your current one.	`tomorrow() →` `timestamp` `tomorrow(timezone_string) → timestamp`
Trim both sides	Create column - Removes the white space from the beginning and the end of a string.	`trim(string) → string`
Trim the left side	Create column - Removes all the extra spaces from the beginning of a string.	`ltrim(string) → string`
Trim the right side	Create column - Removes the white space from the end of a string.	`rtrim(string) → string`
UDP checksum	Create column - Returns the checksum value of an UDP datagram. This value is used for error checking of the header and data. It carries all-zeros if unused.	`udpcs(packet) → integer`
UDP destination port	Create column - Returns the destination port of an UDP datagram. This value identifies the receiving port.	`udpdst(packet) → integer`
UPD length	Create column - Returns the length of an UDP datagram. This field specifies the length in bytes of the UDP header and UDP data.	`udplen(packet) → integer`
UDP payload	Create column - Returns the payload of an UDP datagram. Note that non-encrypted data can be shown using From UTF8 (fromutf8).	`udppayload(packet) → boxar(int1)`
UDP source port	Create column - Returns the source port of a UDP datagram. This value identifies the receiving port.	`udpsrc(packet) → integer`
UDP status	Create column - Returns the status of a UDP packet.	`udpstatus(packet) → integer`
Upper case	Create column - Adds a new column that converts a string to uppercase letters.	`upper(string) → string`
URI authority	Create column - Extracts the authority from a URI (the host part plus the port) and returns a string.	`uriauthority(uri_string) → string`
URI fragment	Create column - Extracts the URI fragment in a URI, if exists.	`urifragment(uri_string) → string`
URI host	Create column - Extracts the URI host from a URI (the host part, except the port). It also checks the URI authority.	`urihost(uri_string) → string`
URI path	Create column - Extracts the URI path from a URI (what comes after the host).	`uripath(uri_string) → string`
URI port	Create column - Extracts the port number from a URI.	`uriport(uri_string) → integer`
URI query	Create column - Extracts the query string from an URI.	`uriquery(uri_string) → string`
URI scheme	Create column - Parses a URI to extract the scheme.	`urischeme(uri_string) → string`
URI ssp	Create column - Extracts the ssp from a URI.	`urissp(uri_string) → string`
URI user	Create column - Parses a URI to extract the user.	`uriuser(uri_string) → string`
URL decode	Create column - Decodes the given URL replacing each escape sequence with the character it represents. An escape sequence is formed by a % followed by the hex value of a character.	`urldecode(url_string) → string`
User Agent Company	Create column - Parses the User Agent to extract the creator company.	`uacompany(ua_string) → string`
User Agent Company URL	Create column - Parses the User Agent to extract the creator company URL.	`uacompanyurl(ua_string) → string`
User Agent Device Icon	Create column - Parses the User Agent to extract the device type icon.	`uadeviceicon(ua_string) → string`
User Agent Device Information URL	Create column - Parses the User Agent to extract the device information URL.	`uadeviceinfourl(ua_string) → string`
User Agent Device Type	Create column - Parses the User Agent to extract the device type.	`uadevicetype(ua_string) → string`
User Agent Family	Create column - Parses the User Agent to extract its family.	`uafamily(ua_string) → string`
User Agent Icon	Create column - Parses the User Agent to extract its icon.	`uaicon(ua_string) → string`
User Agent Information URL	Create column - Parses the User Agent to extract its information URL.	`uainfourl(ua_string) → string`
User Agent is Robot	Filter - Parses the user agents in a given field and returns only the ones identified as bots. Create column - Creates a Boolean column that shows true if a user agent string is identified as a robot.	`uaisrobot(ua_string) → boolean`
User Agent Name	Create column - Parses the User Agent to extract its name.	`uaname(ua_string) → string`
User Agent OS Company	Create column - Parses the User Agent to extract the OS creator company.	`uaoscompany(ua_string) → string`
User Agent OS Company URL	Create column - Parses the User Agent to extract the OS creator company URL.	`uaoscompanyurl(ua_string) → string`
User Agent OS Family	Create column - Parses the User Agent to extract its OS family.	`uaosfamily(ua_string) → string`
User Agent OS Icon	Create column - Parses the User Agent to extract the OS icon.	`uaosicon(ua_string) → string`
User Agent OS Name	Create column - Parses the User Agent to extract the OS name.	`uaosname(ua_string) → string`
User Agent OS URL	Create column - Parses the User Agent to extract the OS URL.	`uaosurl(ua_string) → string`
User Agent type	Create column - Parses the User Agent to extract its type.	`uatype(ua_string) → string`
User Agent URL	Create column - Parses the User Agent to extract its URL.	`uaurl(ua_string) → string`
User Agent Version	Create column - Parses the User Agent to extract its version.	`uaversion(ua_string) → string`
Variance (biased)	Aggregation - Calculates the biased variance of the values of the selected field in each group.	`var(number) → float`
Variance (unbiased)	Aggregation - Calculates the unbiased variance of the values of the selected field in each group.	`uvar(number) → float`
Year	Create column - Returns the year from a given timestamp. Optionally, you can add a timezone different than your current one.	`year(timestamp) → integer` `year(timestamp, timezone_string) → integer`
Yesterday	Create column - Returns the start time of the previous day, considering your current time zone. Optionally, you can add a timezone different than your current one.	`yesterday() → timestamp` `year(timezone_string) → timestamp`