You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|`cos(X)`|Calculates the cosine of X. |`n=cos(0)`|[cos()](/kusto/query/cos-function?view=microsoft-sentinel&preserve-view=true)|`cos(X)`|
251
251
|`exact(X)`|Evaluates an expression X using double precision floating point arithmetic. |`exact(3.14*num)`|[`todecimal()`](/kusto/query/todecimal-function?view=microsoft-sentinel&preserve-view=true)|`todecimal(3.14*2)`|
|`if(X,Y,Z)`|If `X` evaluates to `TRUE`, the result is the second argument `Y`. If `X` evaluates to `FALSE`, the result evaluates to the third argument `Z`. |`if(error==200,`<br> `"OK", "Error")`|[`iff()`](/kusto/query/iff-function?view=microsoft-sentinelc&preserve-view=true)|[KQL example](#ifxyz-kql-example)|
254
-
|`isbool(X)`|Returns `TRUE` if `X` is boolean. |`isbool(field)`|• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinelc&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|`iff(gettype(X) =="bool","TRUE","FALSE")`|
255
-
|`isint(X)`|Returns `TRUE` if `X` is an integer. |`isint(field)`|• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinelc&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isintx-kql-example)|
253
+
|`if(X,Y,Z)`|If `X` evaluates to `TRUE`, the result is the second argument `Y`. If `X` evaluates to `FALSE`, the result evaluates to the third argument `Z`. |`if(error==200,`<br> `"OK", "Error")`|[`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#ifxyz-kql-example)|
254
+
|`isbool(X)`|Returns `TRUE` if `X` is boolean. |`isbool(field)`|• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|`iff(gettype(X) =="bool","TRUE","FALSE")`|
255
+
|`isint(X)`|Returns `TRUE` if `X` is an integer. |`isint(field)`|• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isintx-kql-example)|
256
256
|`isnull(X)`|Returns `TRUE` if `X` is null. |`isnull(field)`|[`isnull()`](/kusto/query/isnull-function?view=microsoft-sentinel&preserve-view=true)|`isnull(field)`|
257
-
|`isstr(X)`|Returns `TRUE` if `X` is a string. |`isstr(field)`|• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinelc&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isstrx-kql-example)|
257
+
|`isstr(X)`|Returns `TRUE` if `X` is a string. |`isstr(field)`|• [`iff()`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)<br>• [`gettype`](/kusto/query/gettype-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#isstrx-kql-example)|
258
258
|`len(X)`|This function returns the character length of a string `X`. |`len(field)`|[`strlen()`](/kusto/query/strlen-function?view=microsoft-sentinel&preserve-view=true)|`strlen(field)`|
259
259
|`like(X,"y")`|Returns `TRUE` if and only if `X` is like the SQLite pattern in `Y`. |`like(field, "addr%")`|• [`has`](/kusto/query/has-any-operator?view=microsoft-sentinel&preserve-view=true)<br>• [`contains`](/kusto/query/datatypes-string-operators?view=microsoft-sentinel&preserve-view=true)<br>• [`startswith`](/kusto/query/datatypes-string-operators?view=microsoft-sentinel&preserve-view=true)<br>• [matches regex](/kusto/query/regex?view=microsoft-sentinel&preserve-view=true)|[KQL example](#likexy-example)|
260
260
|`log(X,Y)`|Returns the log of the first argument `X` using the second argument `Y` as the base. The default value of `Y` is `10`. |`log(number,2)`|• [`log`](/kusto/query/log-function?view=microsoft-sentinel&preserve-view=true)<br>• [`log2`](/kusto/query/log2-function?view=microsoft-sentinel&preserve-view=true)<br>• [`log10`](/kusto/query/log10-function?view=microsoft-sentinel&preserve-view=true)|`log(X)`<br><br>`log2(X)`<br><br>`log10(X)`|
261
261
|`lower(X)`|Returns the lowercase value of `X`. |`lower(username)`|[tolower](/kusto/query/tolower-function?view=microsoft-sentinel&preserve-view=true)|`tolower(username)`|
262
-
|`ltrim(X,Y)`|Returns `X` with the characters in parameter `Y` trimmed from the left side. The default output of `Y` is spaces and tabs. |`ltrim(" ZZZabcZZ ", " Z")`|[`trim_start()`](/kusto/query/trim-start-function?view=microsoft-sentinelc&preserve-view=true)|`trim_start(“ ZZZabcZZ”,” ZZZ”)`|
262
+
|`ltrim(X,Y)`|Returns `X` with the characters in parameter `Y` trimmed from the left side. The default output of `Y` is spaces and tabs. |`ltrim(" ZZZabcZZ ", " Z")`|[`trim_start()`](/kusto/query/trim-start-function?view=microsoft-sentinel&preserve-view=true)|`trim_start(“ ZZZabcZZ”,” ZZZ”)`|
263
263
|`match(X,Y)`|Returns if X matches the regex pattern Y. |`match(field, "^\d{1,3}.\d$")`|[`matches regex`](/kusto/query/regex?view=microsoft-sentinel&preserve-view=true)|`… | where field matches regex @"^\d{1,3}.\d$")` |
264
264
|`max(X,…)`|Returns the maximum value in a column. |`max(delay, mydelay)`|• [`max()`](/kusto/query/max-aggregation-function?view=microsoft-sentinel&preserve-view=true)<br>• [`arg_max()`](/kusto/query/arg-max-aggregation-function?view=microsoft-sentinel&preserve-view=true)|`… | summarize max(field)` |
265
265
|`md5(X)`|Returns the MD5 hash of a string value `X`. |`md5(field)`|[`hash_md5`](/kusto/query/hash-md5-function?view=microsoft-sentinel&preserve-view=true)|`hash_md5("X")`|
|`mvjoin(X,Y)`|Given a multi-valued field `X` and string delimiter `Y`, and joins the individual values of `X` using `Y`. |`mvjoin(address, ";")`|[`strcat_array`](/kusto/query/strcat-array-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#mvjoinxy-kql-example)|
271
271
|`now()`|Returns the current time, represented in Unix time. |`now()`|[`now()`](/kusto/query/now-function?view=microsoft-sentinel&preserve-view=true)|`now()`<br><br>`now(-2d)`|
272
272
|`null()` |Doesn't accept arguments and returns `NULL`. |`null()` |[null](/kusto/query/scalar-data-types/null-values) |`null`
273
-
|`nullif(X,Y)`|Includes two arguments, `X` and `Y`, and returns `X` if the arguments are different. Otherwise, returns `NULL`. |`nullif(fieldA, fieldB)`|[`iff`](/kusto/query/iff-function?view=microsoft-sentinelc&preserve-view=true)|`iff(fieldA==fieldB, null, fieldA)`|
273
+
|`nullif(X,Y)`|Includes two arguments, `X` and `Y`, and returns `X` if the arguments are different. Otherwise, returns `NULL`. |`nullif(fieldA, fieldB)`|[`iff`](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)|`iff(fieldA==fieldB, null, fieldA)`|
274
274
|`random()`|Returns a pseudo-random number between `0` to `2147483647`. |`random()`|[`rand()`](/kusto/query/rand-function?view=microsoft-sentinel&preserve-view=true)|`rand()`|
275
275
|`relative_ time(X,Y)`|Given an epoch time `X` and relative time specifier `Y`, returns the epoch time value of `Y` applied to `X`. |`relative_time(now(),"-1d@d")`|[unix time](/kusto/query/datetime-timespan-arithmetic?view=microsoft-sentinel&preserve-view=true#example-unix-time)|[KQL example](#relative-timexy-kql-example)|
276
-
|`replace(X,Y,Z)`|Returns a string formed by substituting string `Z` for every occurrence of regular expression string `Y` in string `X`. |Returns date with the month and day numbers switched.<br>For example, for the `4/30/2015` input, the output is `30/4/2009`:<br><br>`replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/")`|[`replace()`](/kusto/query/replace-string-function?view=microsoft-sentinelc&preserve-view=true)|[KQL example](#replacexyz-kql-example)|
276
+
|`replace(X,Y,Z)`|Returns a string formed by substituting string `Z` for every occurrence of regular expression string `Y` in string `X`. |Returns date with the month and day numbers switched.<br>For example, for the `4/30/2015` input, the output is `30/4/2009`:<br><br>`replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/")`|[`replace()`](/kusto/query/replace-string-function?view=microsoft-sentinel&preserve-view=true)|[KQL example](#replacexyz-kql-example)|
277
277
|`round(X,Y)`|Returns `X` rounded to the number of decimal places specified by `Y`. The default is to round to an integer. |`round(3.5)`|[`round`](/kusto/query/round-function?view=microsoft-sentinel&preserve-view=true)|`round(3.5)`|
278
278
|`rtrim(X,Y)`|Returns `X` with the characters of `Y` trimmed from the right side. If `Y` isn't specified, spaces and tabs are trimmed. |`rtrim(" ZZZZabcZZ ", " Z")`|[`trim_end()`](/kusto/query/trim-end-function?view=microsoft-sentinel&preserve-view=true)|`trim_end(@"[ Z]+",A)`|
279
-
|`searchmatch(X)`|Returns `TRUE` if the event matches the search string `X`. |`searchmatch("foo AND bar")`|[iff()](/kusto/query/iff-function?view=microsoft-sentinelc&preserve-view=true)|`iff(field has "X","Yes","No")`|
279
+
|`searchmatch(X)`|Returns `TRUE` if the event matches the search string `X`. |`searchmatch("foo AND bar")`|[iff()](/kusto/query/iff-function?view=microsoft-sentinel&preserve-view=true)|`iff(field has "X","Yes","No")`|
280
280
|`split(X,"Y")`|Returns `X` as a multi-valued field, split by delimiter `Y`. |`split(address, ";")`|[`split()`](/kusto/query/split-function?view=microsoft-sentinel&preserve-view=true)|`split(address, ";")`|
281
281
|`sqrt(X)`|Returns the square root of `X`. |`sqrt(9)`|[`sqrt()`](/kusto/query/sqrt-function?view=microsoft-sentinel&preserve-view=true)|`sqrt(9)`|
282
282
|`strftime(X,Y)`|Returns the epoch time value `X` rendered using the format specified by `Y`. |`strftime(_time, "%H:%M")`|[`format_datetime()`](/kusto/query/format-datetime-function?view=microsoft-sentinel&preserve-view=true)|`format_datetime(time,'HH:mm')`|
0 commit comments