PREVIOUS LINQ

NEXT LINQ query examples

Performing operations using LINQ


As explained in the Available operations articles, you can apply operations to your queries directly on the data table, using the Devo application interface. However, these operations can also be writen in the query script using the LINQ language. Depending on the type of operation you want to perform, you need to add specific query expressions. It is possible to combine multiple operations in a query to get the necessary information.

For example, the following is a LINQ query where we want to retrieve only those events with status code 404 grouped each 20 minutes, displaying the method and clientIpAddress columns. Aditionally, we have created the myCount column to count the records in each interval. For more examples using different operations, see the LINQ query examples section.

from demo.ecommerce.data
where statusCode = 404
group every 10m by method, clientIpAddress
every 10m
select count() as myCount

The following sections include the LINQ expressions you must use to perform every single type of operation in Devo:

Aggregation operations

These are the necessary clauses you need to add to your LINQ query in order to perform an aggregation operation: 

from table name
group every server period by column1, column2
every browser period
select aggregation operation 1(column) as NewColumnName1,
aggregation operation 2(column) as NewColumnName2,

...

For example, this query returns the average of bytes transferred every 5 minutes for each status code.

from demo.ecommerce.data
group every 5m by statusCode
every 5m
select avg(bytesTransferred) as AvgOfBytes

And this one returns the first non-null client IP address every 10 minutes for each method.

from demo.ecommerce.data
group every 10m by method
every 10m
select nnfirst(clientIpAddress) as FirstNonNullIP

The following table includes the LINQ expressions for all the available aggregation operations in Devo.

Operation

Description

Examples

avg()

Returns the average of the values of the selected column.

avg(field)

count()

Returns either the number of rows in a group (if you add no arguments) or the number of non-null values in a group (if you add an argument).

count(field)

first()

Returns the first value of a group.

first(field)

nnfirst()

Returns the first not null value of a group.

nnfirst(field)

hllpp()

Returns the HyperLogLog distinct estimation data structure of each group of a column.

hllpp(field)

hllppcount()

Returns the HyperLogLog distinct estimation of each group of a column.

hllppcount(field)

last()

Returns the last value of a group.

last(field)

nnlast()

Returns the last non-null value of a group.

nnlast(field)

max()

Returns the highest value of the groups of the selected column.

max(field)

median()

Returns the median of the groups of the selected column.

median(field)

min()

Returns the lowest value of the groups of the selected column.

min(field)

nnavg()

Returns the average of the non-null values of the selected column.

nnavg(field)

nnstddev()

Returns the biased standard deviation of the non-null values from the selected column.

nnstddev(field)

nnustddev()

Returns the unbiased standard deviation of the non-null values from the selected column.

nnustddev(field)

nnvar()

Returns the biased variance of the non-null values of the selected column.

nnvar(field)

nnuvar()

Returns the unbiased variance of the non-null values of the selected column.

nnuvar(field)

percentile25()

Returns the maximum value of the 25th percentile using a linear interpolation.

percentile25(field)

percentile5()

Returns the maximum value of the 5th percentile using a linear interpolation.

percentile5(field)

percentile75()

Returns the maximum value of the 75th percentile using a linear interpolation.

percentile75(field)

percentile95()

Returns the maximum value of the 95th percentile using a linear interpolation.

percentile95(field)

stddev()

Returns the biased standard deviation of the values from the selected column.

stddev(field)

ustddev()

Returns the unbiased standard deviation of the values from the selected column.

ustddev(field)

sum()

Returns the total sum of a numeric column.

sum(field)

sum2()

Returns the sum of squares of a numeric column.

sum2(field)

var()

Returns the biased variance of the values of the selected column.

var(field)

uvar()

Returns the unbiased variance of the values of the selected column.

uvar(field)

Filtering operations

These are the necessary clauses you need to add to your LINQ query in order to perform a filtering operation:

from table name
where filter1,
filter2

...

For example, the following query performs a filter to get only those events where the number of bytes sent is greater than 800:

from demo.ecommerce.data
where bytesTransferred > 800

And this one returns the events where the client IP address is not null and the bytes transferred are less than 1000:

from demo.ecommerce.data
where isnotnull(clientIpAddress),
bytesTransferred < 1000

Filtering operations are classified into the following groups:

Order group ] [ String group ] [ General group ] [ Name group ] [ Network group ] [ Logic group ] [ Web group ]

Order group

Operation

Description

Examples

=, eq()

Compares if two values of the same type are quantitatively the same. It returns only the rows where both values coincide.

field=”value”

eq(field, “value”)

>=

Returns those events where a specific value is greater than or equal to another one.

field >= 5

field1 >= field2

Returns those events where a specific value is greater than another one.

field > 5

field1 > field2

<=

Returns those events where a specific value is less than or equal to another one.

field <= 5

field1 <= field2

Returns those events where a specific value is less than another one.

field < 5

field1 < field2

/=, ne()

Returns those events where a specific value is not equal to another one.

field /= “value”

ne(field, “value”)

String group

Operation

Description

Examples

toktains()

Checks for the presence of a specific alphanumerical set of characters (token) in a given string.

toktains(field, “value”)

->, has()

Checks for the presence of one or more values in a given string. The filter will show those strings containing at least one of the indicated values.

field -> “value”

has(field, “value”)

endswith()

Returns strings that end with a specific suffix.

endswith(field, “value”)

~, matches()

Returns those strings that match an indicated regular expression.

field ~ re(“([A-Z])\w+”)

matches(field, re(“([A-Z])\w+”))

startswith()

Returns strings that start with a specific prefix.

startswith(field, “value”)

General group

Operation

Description

Examples

isnotnull()

Verifies if a given value of any supported type is not null.

isnotnull(field)

isnull()

Verifies if a given value of any supported type is null.

isnull(field)

Name group

Operation

Description

Examples

anymatches()

Searches for any name that matches a specific pattern.

anymatches(tables, nameglob("my.app.demo.datateam"))

Network group

Operation

Description

Examples

in

Retrieves those IPv4 that are on a specific net.

someIPfield in 23.48.39.0/16

isprivate()

Retrieves those IPv4 that are private.

isprivate(someIPfield)

ispublic()

Retrieves those IPv4 that are public.

ispublic(someIPfield)

Logic group

Operation

Description

Examples

and

Retrieves those columns where all the given arguments are true.

field>100 and field<200

not

Returns only the false values in the indicated Boolean column.

not field = “value”

or

Retrieves those columns where at least one of the given arguments is true.

field = “value” or field = “value2”

Web group

Operation

Description

Examples

absoluteuri()

Retrieves those URIs that are absolute.

absoluteuri(uri_field)

opaqueuri()

Retrieves those URIs that are opaque.

opaqueuri(uri_field)

uaisrobot()

Parses the user agent and identifies if it is a robot.

uaisrobot(user_agent_field)

Create column operations

These are the necessary clauses you need to add to your LINQ query in order to perform a create column operation:

from table name
select
aggregation operation 1(column) as NewColumnName1,
aggregation operation 2(
column) as NewColumnName2,

...

For example, the following query creates two columns showing the corresponding latitude and longitude values of the IPs in the ClientIpAddress column of the table.

from demo.ecommerce.data
select mmlatitude(clientIpAddress) as Latitude,
mmlongitude(clientIpAddress) as Longitude

And this one displays the definitions of the status codes in a new column.

from demo.ecommerce.data
select decode(statusCode, 200, "Successful Login", 400, "Bad/Invalid Request", 401, "Invalid Password/Username") as StatusCodeMessages

Create column operations are classified into the following groups:

Order group ] Arithmetic group ] [ String create ] [ General group ] [ Date create ] [ Name group ] [ Network group ] [ Geolocation group ] [ Logic group ] [ Flow group ] [ Web group ] [ Mathematical group ] [ Conversion group ] [ Cryptography group ] [ Packet group ]

Order group

Operation

Description

Examples

=, eq()

Compares if two values of the same type are quantitatively the same.

field = “value”

eq(field, “value”)

>=, ge()

Returns the true value if one argument is greater than or equal to the other one.

field >= 15

ge(field, 15)

>, gt()

Returns the true value if one argument is greater than the other one.

field > 15

gt(field, 15)

<=, le()

Returns the true value if one argument is less than or equal to the other one.

field = “value”

le(field, “value”)

<, lt()

Returns the true value if one argument is less than the other one.

field = “value”

lt(field, “value”)

max()

Compares numerical values and returns the highest number.

max(field)

max(1, -10, 13, 2, 28)

min()

Compares numerical values and returns the smallest number.

min(field)

min(1, -10, 13, 2, 28)

/=, ne()

Returns the true value if two arguments are not the same.

field /= “value”

ne(field, “value”)

Arithmetic group

Operation

Description

Examples

abs()

Returns the non-negative value of a real number without regard to its sign.

abs(field)

+, add()

Returns the addition or concatenation of the given elements.

field1 + field2

add(field, 5)

ceil()

Rounds a number up, returning the smallest following integer.

ceil(field)

cbrt()

Returns the cube root of a specific argument.

cbrt(field)

\, div()

Returns the division of two numbers or the division of a duration and a number. When both numbers are integer and the division is not exact, the result will be the value of the quotient.

field1 \ 100

div(field1, field2)

floor()

Maps a real number to the previous following integer.

floor(field)

mod()

Returns the remainder after the division of one number by another.

mod(field1, 10)

*, mul()

Returns the product of two or more numbers or the product of a number and a duration.

field * 100

mul(field1, field2)

pow()

Returns the base(arg_1) raised to the power of the exponent(arg_2).

pow(field, 2)

/, rdiv()

Returns the real division of two numbers.

rdiv(field, 3)

field / 3

round()

Maps a given real number to the nearest integer or to a given precision in decimal digits.

round(field)

signum()

Extracts the sign of a real number, represented as 1(positive) or -1(negative). Zero value is retrieved as 0.

signum(field)

sqrt()

Returns the square root of a specific argument.

sqrt(field)

-, sub()

Returns the difference between two numbers / durations / timestamps / duration and timestamp or the additive inverse of a number / duration.

field1 - field2

sub(field, 10)

String group

Operation

Description

Examples

toktains()

Checks for the presence of a token in a given string.

toktains(field, “value”)

->, has()

Checks for the presence of one or more values in a given string. If the string contains at least one value, then the result will be true.

field -> “value”

has(field, “value”)

damerau()

Returns the Damerau edit distance between two strings. This distance, which is a variation of the Levenshtein distance, represents the minimum number of operations (insertions, deletions, substitutions and transpositions) required to transform one string into the other.

damerau(field1, field2)

hamming()

Returns Hamming distance between two strings. This distance is the number of positions in which the corresponding symbols are different or the minimum number of changes required to transform one string into the other.

hamming(field1, field2)

levenshtein()

Returns the Levenshtein edit distance between two strings. This distance is the minimum number of operations (insertions, deletions and substitutions) required to transform one string into the other.

levenshtein(field1, field2)

osa()

Returns the OSA (optimal string alignment) edit distance between two strings. This distance, which is a variation of the Damerau distance, is the minimum number of operations (insertions, deletions, substitutions and transpositions) required to transform one string into the other, but with the condition that no substring is edited more than once.

osa(field1, field2)

endswith()

Returns strings that end with a specific suffix.

endswith(field, “value”)

formatnumber()

Formats a number according to a format and locale, if specified. It is used to separate the digits following the specified format. The result will be a string formatted as specified, depending on the locale (if set).

formatnumber(1234567890, “#,###”) => 1,234,567,890

formatnumber(1234.567, “#,###.0”, “en”) => 1,234.6

formatnumber(0.55, “#%”) => 55%

length()

Returns the length of a string.

length(field)

locate()

Returns the position of the first occurrence of a specified value in a string, counting from 0.

locate(field, “o”)

lower()

Converts a string to lowercase.

lower(field)

~, matches()

Checks if a string matches a regular expression.

field ~ re(“([A-Z])\w+”)

matches(field, re(“([A-Z])\w+”))

peek()

Returns a string that matches the given regular expression or the content of the specified capturing group.

peek(field, re(“([A-Z])\w+”), 1)

replaceall()

Searches in a string for a specific value and returns a new string where all the occurrences of this value (if any) are replaced.

replaceall(field, “blue”, “red”)

replace()

Searches a string for a specified value and returns a new string where only the first occurrence of this value (if any) is replaced.

replace(field, “blue”, “red”)

shannon()

Returns the Shannon entropy of a given string.

shannon(field)

split()

Splits a string by a given literal separator and returns only the selected piece (counting from 0).

split(field, “|”, 0)

splitre()

Splits a string by a given regular expression and returns only the selected piece (counting from 0).

splitre(field, re("-[0-9]+-"), 1)

startswith()

Returns strings that start with a specific prefix.

startswith(field, “A”)

subs()

Matches the first occurrence of a regular expression and substitutes it by a template. In case of failure, returns the original expression or returns the failed value (if given).

subs("hello <insert sth here>", re("<.+$"), template("world"))

subsall()

Substitutes all occurrences of a regular expression by a template.

subsall("123 456 789". re("([0-9]+)\s"), template("\1-"))

substring()

Extracts a substring from a given string(initial position and length). If the length is not specified, the right part of the resulting substring will be the same as the original string, as this value will be the difference between the total length and the initial position of the substring.

substring(field, 3)

substring(“hello world”, 0, 4)

trim()

Removes the white space from the beginning and the end of a string.

trim(field)

ltrim()

Removes the white space from the beginning of a string.

ltrim(field)

rtrim()

Removes the white space from the end of a string.

rtrim(field)

upper()

Converts a string to uppercase letters.

upper(field)

General group

Operation

Description

Examples

isnotnull()

Verifies if a given value of any supported type is not null.

isnotnull(field)

isnull()

Verifies if a given value of any supported type is null.

isnull(field)

Date group

Operation

Description

Examples

day()

Returns the duration representation of 1 day or the day of the month from timestamp(0-30).

day(datefield)

dayofweek()

Returns the day of the week from timestamp, 0(Sunday)-6(Saturday).

dayofweek(datefield)

dayofyear()

Returns the day of the year from timestamp, 0-365.

dayofyear(datefield)

epoch()

Converts a date into an epoch reference date: number of milliseconds since midnight Jan 1, 1970.
See also the timestamp function (reverse).

epoch(datefield)

hour()

Returns the duration representation of 1 hour or the hour from timestamp(0-23).

hour(datefield)

millisecond()

Returns the duration representation of 1 millisecond/ the duration value as milliseconds or the millisecond from timestamp(0-999).

millisecond(datefield)

minute()

Returns the duration representation of 1 minute or the minute from timestamp(0-59).

minute(datefield)

month()

Returns the month from timestamp (0-11).

month(datefield)

period()

Aligns a date to a period or duration.

period(datefield, 100d)

second()

Retrieves the duration representation of 1 second or the second from the timestamp(0-59).

second(datefield)

today()

Retrieves the start of the current day.

today(“Europe/Madrid”)

tomorrow()

Retrieves the start of tomorrow's date.

tomorrow(“Europe/Madrid”)

year()

Retrieves the year from the timestamp.

year(datefield)

yesterday()

Retrieves the start of yesterday date.

yesterday("Europe/Madrid")

Name group

Operation

Description

Examples

anymatches()

Searches for any name that matches a specific pattern.

anymatches(tables, nameglob("my.app.demo.datateam"))

nameglob()

Creates a glob pattern on names. Glob patterns specify sets of filenames with wildcard characters.

nameglob(field)

Network group 

Operation

Description

Examples

httpstatusdescription()

Returns HTTP Status Description from the HTTP Status Code.

httpstatusdescription(message_status)

httpstatustype()

Returns HTTP Status Type from the HTTP Status Code.

httpstatustype(message_status)

ipprotocol()

Converts an IP protocol name to its protocol code or an IP protocol code to its protocol name.

ipprotocol(protocol)

purpose()

Checks if an IPv4 is a public address.

purpose(ip_field)

reputationscore()

Assigns a reputation score to an IP address according to several IP reputation lists(the higher the value represents the worst the reputation).

reputationscore(ip_field)

reputation()

Labels an IP address according to several IP reputation lists.

reputation(ip_field)

isprivate()

Retrieves those IPv4 that are private.

isprivate(ip_field)

ispublic()

Retrieves those IPv4 that are public.

ispublic(ip_field)

in

Retrieves those IPv4 that are on a specific net.

ip_field in 110.11.0.0/8

sbl()

Labels an account according to Squid Black Lists.

sbl(domain)

Geolocation group 

Operation

Description

Examples

mmasowner()

Geolocates an IP address and returns the AS (autonomous system) owner name.

mmasowner(ip_field)

mmasn()

Geolocates an IP address and returns the ASN (autonomous system number). An ASN is an unique number assigned to an AS (autonomous system) by IANA.

mmasn(ip_field)

mmcity()

Geolocates an IP and returns the city name.

mmcity(ip_field)

mmspeed()

Geolocates an IP and returns the connection speed category.

mmspeed(ip_field)

mmcountry()

Geolocates an IP and returns the country code.

mmcountry(ip_field)

mmlatitude()

Geolocates an IP and returns the corresponding latitude.

mmlatitude(ip_field)

mmlongitude()

Geolocates an IP and returns the corresponding longitude.

mmlongitude(ip_field)

mmorg()

Geolocates an IP and returns the organization name.

mmorg(ip_field)

mmpostalcode()

Geolocates an IP and returns the corresponding postal code.

mmpostalcode(ip_field)

mmregion()

Geolocates an IP and returns the region code.

mmregion(ip_field)

mmregionname()

Geolocates an IP and returns the region name.

mmregionname(ip_field)

geohash()

Generates a geocoord based on geohash coordinates. This can be done using a geohash string or another geocoord. Geohash geocoords are based on the geohash string of coordinates. Their precision depends on the length of the geohash string: the longer, the more precise.

geohash(coord_field)

geocoord()

Generates a geocoord from the given string, which must be a valid representation of one of the supported coordinate systems, listed below:

  • Latlon - based on latitude and longitude and represented as sexagesimal coordinates, using degrees, minutes, seconds and position. Here is an example: 40°24'46.3"N 3°41'43.8"W.

  • Geohash - Hash representation of coordinates, called geohash. Here is an example: ezjmguvj.

geocoord(field)
geohash(geocoord("ezjmguvj"), 7)

geohashstr()

Returns the geohash string of the given geocoord and length (8 if not specified).

geohashstr(latlon(40.412856, -3.695502), 12)

geohashstr(geohash("ezjmguvj"))

latitude()

Returns the latitude of the given geocoord.

latitude(latlon(40.412856, -3.695502))

longitude()

Returns the longitude of the given geocoord.

longitude(latlon(40.412856, -3.695502))

coordsystem()

Returns the coordsystem of the given geocoord.

coordsystem(geocoord("40°24'46.2\"N 3°41'43.8\"W"))

distance()

Returns the distance in meters between two geocoords.

distance(latlon(40.412856, -3.695502), latlon(40.412856, -3.695502)))

gridlatlon()

Rounds geo-coordinates according to a grid divided depending on the given latitude and longitude precision (in degrees), or to an uniform grid with the specified number of divisions.

gridlatlon(latlon(40.412856, -3.695502), 5, 5)

gridlatlon(geohash("9q9k8n51"), 30, 90)

latlon()

Generates a geocoord based on sexagesimal coordinates. It can be done using latitude and longitude numerical values, another geocoord or a coordinate string.

latlon(40.412845, -3.695500)

latlon(geocoord("40°24'46.2\"N 3°41'43.8\"W"))

mmcoordinates()

Geolocates an IP address and returns its coordinates.

mmcoordinates(ip_field)

parsegeo()

Parses a geocoord in a strict format (type:<value>), as produced by the Represent geocoord format operation. If the format is not valid, the result of the parsing is null.

parsegeo(:geohash:78zz0)

parsegeo(":latlon:36°N 20°W")

reprgeo()

Strict string representation of the given geocoord, in a specific format (type:<value>), where type is the geocoord type.

reprgeo(geocoord("78z0"))

continentalpha2()

Returns the ISO-3166-1 Continent Alpha-2 Code from any continent identification.

continentalpha2("Europe")

continentname()

Returns the ISO-3166-1 Continent Name from any continent identification.

continentname("EU")

countryalpha2()

Returns the ISO-3166-1 Country Alpha-2 Code from any country identification.

countryalpha2("Spain")

countrycontinent()

Returns the ISO-3166-1 Country Alpha-2 Continent from any country identification.

countrycontinent("Spain")

countryalpha3()

Returns the ISO-3166-1 Country Alpha-3 Code from any country identification.

countryalpha3("Spain")

countrylatitude()

Returns the ISO-3166-1 Country Latitude from any country identification.

countrylatitude("Spain")

countrylongitude()

Returns the ISO-3166-1 Country Longitude from any country identification.

countrylongitude("Spain")

countryname()

Returns the ISO-3166-1 Country Name from any country identification.

countryname("ES")

Logic group 

Operation

Description

Examples

and

This is a logical conjunction that returns true only if all the given arguments are true. This operation admits more than two arguments, using the same format.

field1 and field2

not

This is a logical complement that returns the complement of the given argument. The negation of true is false and vice versa.

not field1

or

This is a logical disjunction that returns true if any of the given arguments is true. This operation admits more than two arguments, using the same format.

field1 or field2

Flow group

Operation

Description

Examples

ifthenelse()

Conditional operation that will return the second argument if the expression given as first argument is true, and the third one in other case.

ifthenelse(field = “value”, "yes", "no")

decode()

Conditional operation that maps from one set of values into another by returning a specific argument with either another specific argument or a default value (null if not set), depending on the result of an equality/match condition. This operation is another conditional control flow statement, but unlike the if-then-else operation, multiple execution paths are allowed.

decode(field = “value”, true, "OK", false, "DIFF")

nvl()

Conditional operation that returns the value specified as second argument if the first one is null.

nvl(field, "BLANK")

Web group

Operation

Description

Examples

absoluteuri()

Retrieves those URI that are absolute.

absoluteuri(uri_field)

opaqueuri()

Retrieves those URI that are opaque (mainly referring to URI that do not describe a path to a resource, for example: mailto:a@b.com)

opaqueuri(uri_field)

uriauthority()

Extracts the authority from a URI (the host part plus the port) and returns a string.

uriauthority(uri_field)

urifragment()

Extracts the URI fragment in a URI, if exists.

urifragment(uri_field)

urihost()

Extracts the URI host from an URI (the host part, except the port). It also checks the URI authority.

urihost(uri_field)

uripath()

Extracts the URI path from an URI (what comes after the host).

uripath(uri_field)

uriport()

Extracts the port number from an URI.

uriport(uri_field)

uriquery()

Extracts the query string from an URI.

uriquery(uri_field)

urischeme()

Parses an URI to extract the scheme.

urischeme(uri_field)

urissp()

Extracts the ssp from an URI.

urissp(uri_field)

uriuser()

Parses an URI to extract the user.

uriuser(uri_field)

uacompany()

Parses the User Agent to extract the creator company.

uacompany(ua_field)

uacompanyurl()

Parses the User Agent to extract the creator company URL.

uacompanyurl(ua_field)

uadeviceicon()

Parses the User Agent to extract the device type icon.

uadeviceicon(ua_field)

uadeviceinfourl()

Parses the User Agent to extract the device information URL.

uadeviceinfourl(ua_field)

uadevicetype()

Parses the User Agent to extract the device type.

uadevicetype(ua_field)

uafamily()

Parses the User Agent to extract its family.

uafamily(ua_field)

uaicon()

Parses the User Agent to extract its icon.

uaicon(ua_field)

uainfourl()

Parses the User Agent to extract its information URL.

uainfourl(ua_field)

uaname()

Parses the User Agent to extract its name.

uaname(ua_field)

uaoscompany()

Parses the User Agent to extract the OS creator company.

uaoscompany(ua_field)

uaoscompanyurl()

Parses the User Agent to extract the OS creator company URL.

uaoscompanyurl(ua_field)

uaosfamily()

Parses the User Agent to extract its OS family.

uaosfamily(ua_field)

uaosicon()

Parses the User Agent to extract the OS icon.

uaosicon(ua_field)

uaosname()

Parses the User Agent to extract the OS name.

uaosname(ua_field)

uaosurl()

Parses the User Agent to extract the OS URL.

uaosurl(ua_field)

uaurl()

Parses the User Agent to extract its URL.

uaurl(ua_field)

uaversion()

Parses the User Agent to extract its version.

uaversion(ua_field)

uaisrobot()

Parses the User Agent and identifies if it is a robot.

uaisrobot(ua_field)

uatype()

Parses the User Agent to extract its type.

uatype(ua_field)

Mathematical group 

Operation

Description

Examples

acos()

Return the arc cosine of a specific argument.

acos(field)

asin()

Returns the arc sine of a specific argument.

asin(field)

atan()

When invoked with one argument, it returns the arc tangent of arg_1. When invoked with two arguments, it returns the arc tangent of the coordinates (arg_1, arg2).

atan(field)

atan(field1, field2)

band()

Retrieves the Bitwise AND of the specified arguments.

band(field1, field2)

bnot()

Retrieves the Bitwise NOT of the specified arguments.

bnot(field)

bor()

Retrieve the Bitwise OR of the specified arguments.

bor(field1, field2)

bxor()

Retrieves the Bitwise XOR of the specified arguments.

bxor(field1, field2)

lshift()

Shifts arg_1 to the left as many positions as specified in arg_2.

lshift(field1, field2)

rshift()

Shifts arg_1 to the right as many positions as specified in arg_2.

rshift(field1, field2)

urshift()

Shifts arg_1 to the right as many positions as specified in arg_2.

urshift(field1, field2)

cos()

Returns the cosine of the specified argument.

cos(field)

exp()

Returns the value of e to the power of the argument.

exp(field)

cosh()

Returns the hyperbolic cosine of the selected argument.

cosh(field)

sinh()

Returns the hyperbolic sine of the selected argument.

sinh(field)

tanh()

Returns the hyperbolic tangent of the selected argument.

tanh(field)

log10()

Returns the base 10 logarithm of the selected argument.

log10(field)

log2()

Returns the base 2 logarithm of the selected argument.

log2(field)

log()

When invoked with one argument, it returns the base e logarithm of arg_1 (natural logarithm). When invoked with two arguments, it returns the base arg_1 logarithm of arg_2.

log(field)

log(field, 2)

pi()

Returns the Pi value (3.141592653589793).

pi()

sin()

Returns the sine of the selected argument.

sin(field)

tan()

Returns the tangent of a selected argument.

tan(field)

e()

Returns the value of the Euler's number (2.718281828459045).

e()

Conversion group

Operation

Description

Examples

duration()

Transforms a string into a duration type represented by a period of time (days, hours, minutes, seconds and milliseconds).

duration(field)

formatdate()

Formats a date using a custom format, optionally specifying time zone and locale.

formatdate(timestamp("2017-01-23 13:10:15.123"), "MMM DD YYYY H:mm:ss.SSS A")

formatdate(timestamp("2017-02-01 00:59:59.000"), "DD/MM/YYYY HH:mm:ss", "GMT+1", "es-ES")

fromutf8()

Returns an UTF8 string from the given byte array.

fromutf8(field)

fromz85()

Creates a byte array from a valid Z85 string.

fromz85(field)

from16()

Creates a byte array from a valid hexadecimal (base16) string.

from16(field)

from64()

Creates a byte array from a valid base64 string.

from64(field)

humanSize()

Converts a number into a human-readable format, using a binary prefix by default. If the second argument is used: true is for binary prefix (2x) and false for decimal prefix (10x).

humanSize(field)

mkboxar()

Creates a byte array from the given numerical values. A byte array is represented by a hexadecimal string to make it readable, but it is not a string.

mkboxar(field)

mkboxar(field1, field2, field3)

parsedate()

Parses a date using a custom format, optionally specifying time zone and locale.

parsedate("Jan 23 2017, 1:15:00.123", "MMM DD YYYY H:mm:ss.SSS A")

parsedate("31/01/2017 23:59:59", "DD/MM/YYYY HH:mm:ss", "GMT+1", "es-ES")

re()

Builds a regular expression from the given string pattern.

re(“^([^@]+)@(.+)$”)

timestamp()

Converts an integer or a valid string (epoch) into normal date format. The string valid format should be Year-Month-Day Hour:Minute:Second.Millisecond, where all the fields are numbers. Epoch date should be in milliseconds. See also the epoch function.

timestamp("2017-01-23 13:10:15.123")

template()

Builds a template from the given string definition. A template is a replacement string that also admits capturing groups (for example \1 will use the capturing group 1 as a template).

template("\1\2")

float()

Converts a valid number string or an integer into a float number.

float(field)

ip4()

Converts a valid string or integer into an IP address (IPv4)

ip4(field)

image()

Converts a string into an image.

image(field)

int()

Converts a valid number string or a float into a integer number.

int(field)

toutf8()

Creates a byte array from an UTF8 string.

toutf8(field)

toz85()

Returns a Z85 string from the given byte array.

toz85(field)

to16()

Returns a hexadecimal (base16) string from the given byte array.

to16(field)

to64()

Returns a base64 string from the given byte array.

to64(field)

str()

Converts an integer, float, date, ip address or coordinates into a string.

str(field)

Cryptography group

Operation

Description

Examples

md5()

Creates the MD5 hash as a byte array of the given string.

md5(field)

sha1()

Returns the SHA1 hash as a byte array of the given string.

sha1(field)

sha256()

Returns the SHA256 hash as a byte array of the given string.

sha256(field)

sha512()

Returns the SHA512 hash as a byte array of the given string.

sha512(field)

Packet group

Operation

Description

Examples

hasether()

Checks if a packet has or not an Ethernet frame.

hasether(field)

etherdst()

Returns the destination MAC address of an Ethernet frame.

etherdst(field)

etherpayload()

Returns the payload of an Ethernet frame.

etherpayload(field)

ethersrc()

Returns the source MAC address of an Ethernet frame.

ethersrc(field)

etherstatus()

Returns the status of an Ethernet packet.

etherstatus(field)

ethertag()

Returns the tag of an Ethernet Frame.

ethertag(field)

ethertype()

Returns the EtherType of the Ethernet frame of a packet.

ethertype(field)

hasip4()

Checks if a packet has or not an IPv4 datagram.

hasip4(field)

ip4cs()

Returns the header checksum of an IPv4 datagram. This checksum is calculated only for the header bytes and protects the header of IPv4 data packages against data corruption.

ip4cs(field)

ip4ds()

Returns the differentiated services value (DSCP) of an IPv4 datagram.

ip4ds(field)

ip4dst()

Returns the destination IPv4 address of the packet receiver.

ip4dst(field)

ip4ds()

Returns the ECN (explicit congestion notification) value of an IPv4 datagram.

ip4ds(field)

ip4flags()

Returns the flags value of an IPv4 datagram.It is a 3 bit field used to control and identify all the fragments.

ip4flags(field)

ip4fragment()

Returns the fragment offset value of an IPv4 datagram.

ip4fragment(field)

ip4hl()

Returns the Internet header length (IHL) field value of an IPv4 datagram.

ip4hl(field)

ip4ident()

Returns the identification field value of an IP datagram. This field is used for uniquely identifying the group of fragments of a single IPv4 datagram.

ip4ident(field)

ip4len()

Returns the total length field value of an IP datagram.

ip4len(field)

ip4payload()

Returns the payload of an IP datagram.

ip4payload(field)

ip4proto()

Returns the protocol field value of an IP datagram, which is the protocol used in the data portion.

ip4proto(field)

ip4src()

Returns the source IPv4 address of the receiver of the packet receiver.

ip4src(field)

ip4status()

Returns the status of an IPv4 packet.

ip4status(field)

ip4tos()

Returns the type of service field value of an IP datagram. This field has been redefined as Differentiated Service Code Point (DSCP).

ip4tos(field)

ip4ttl()

Returns the time to live (TTL) value in seconds of an IP datagram. TTL is a mechanism that limits the lifetime of data, preventing datagrams from persisting on a network.

ip4ttl(field)

hastcp()

Checks if a packet has or not a TCP segment.

hastcp(field)

tcpack()

Returns the acknowledgment number (ACK) of a TCP segment. This value is the next sequence number expected by the sender.

tcpack(field)

tcpcs()

Returns the checksum value of a TCP segment. This value is used for error checking of the header and data.

tcpcs(field)

tcpdst()

Returns the destination port of a TCP segment. This value identifies the receiving port.

tcpdst(field)

tcpflags()

Returns the flags or control bits value of a TCP segment.

tcpflags(field)

tcphl()

Returns the header length or data offset of a TCP segment. The minimum length is 5 words (20 bytes) and the maximum is 15 words (60 bytes).

tcphl(field)

tcppayload()

Returns the payload or data section of a TCP segment.

tcppayload(field)

tcpwin()

Returns the received window size of a TCP segment. This field specifies the number of bytes that the sender of the segment is currently willing to receive.

tcpwin(field)

tcpseq()

Returns the sequence number of a TCP segment.

tcpseq(field)

tcpsrc()

Returns the source port of a TCP segment. This value identifies the sending port.

tcpsrc(field)

tcpstatus()

Returns the status of a TCP packet.

tcpstatus(field)

hasupd()

Checks if a packet has or not an UDP datagram.

hasupd(field)

udpcs()

Returns the checksum value of an UDP datagram. This value is used for error checking of the header and data. It carries all-zeros if unused.

udpcs(field)

udpdst()

Returns the destination port of an UDP datagram. This value identifies the receiving port.

udpdst(field)

udplen()

Returns the length of an UDP datagram. This field specifies the length in bytes of the UDP header and UDP data.

udplen(field)

udppayload()

Returns the payload of an UDP datagram. Note that non-encrypted data can be shown with fromtuf8(pkt).

udppayload(field)

udpsrc()

Returns the source port of an UDP datagram. This value identifies the receiving port.

udpsrc(field)

udpstatus()

Returns the status of a UDP packet.

udpstatus(field)

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US

PREVIOUS LINQ

NEXT LINQ query examples