LQL Functions
This topic lists all Lacework Query Language functions alphabetically.
| Function | Description |
|---|---|
| ABS | Returns the absolute value of a number. |
| ADD_DAYS | Adds the specified number of days to a timestamp. |
| ADD_HOURS | Adds the specified number of hours to a timestamp. |
| ADD_MILLIS | Adds the specified number of milliseconds to a timestamp. |
| ADD_MINUTES | Adds the specified number of minutes to a timestamp. |
| ADD_MONTHS | Adds the specified number of months to a timestamp. |
| ADD_SECONDS | Adds the specified number of seconds to a timestamp. |
| ADD_YEARS | Adds the specified number of years to a timestamp. |
| ANY_IN_ARRAY | Returns True if the array argument is an array in JSON and at least one of the provided values in contained in it. |
| CHAR_INDEX | Searches for the first time a string occurs in another string. If successful, returns the position of the first string in the second string. |
| COALESCE | Returns the first non-null expression among its arguments. Returns null if all arguments are null. |
| CONTAINS | Returns True if a string contains another string. |
| CURRENT_TIMESTAMP_MS | Returns the current timestamp as UTC epoch milliseconds |
| CURRENT_TIMESTAMP_SEC | Returns the current timestamp as UTC epoch seconds. |
| DAY_OF_MONTH | Returns the day of the month (number 1 to 31) from a timestamp. |
| DAY_OF_WEEK | Returns the day of the week (number 1 to 7) from a timestamp. |
| DAY_OF_YEAR | Returns the day of the year (number 1 to 366) from a timestamp. |
| DAY_PART | Returns the day of the month (number 1 to 31) from a timestamp. |
| DIFF_DAYS | Returns the number of days between two timestamps. |
| DIFF_HOURS | Returns the number of hours between two timestamps. |
| DIFF_MINUTES | Returns the number of minutes between two timestamps. |
| DIFF_MILLIS | Returns the number of milliseconds between two timestamps. |
| DIFF_MONTHS | Returns the number of months between two timestamps. |
| DIFF_SECONDS | Returns the number of seconds between two timestamps. |
| DIFF_YEARS | Returns the number of years between two timestamps. |
| ENDS_WITH | Returns True if a string ends with a specified string. |
| EPOCH_MS | Returns a number that is milliseconds from epoch for a timestamp. |
| EPOCH_SEC | Returns a number that is seconds from epoch for a timestamp. |
| HOUR_PART | Returns the hour of the day (number 0 to 23) from a timestamp. |
| IS_ARRAY | Returns True if the input contains an ARRAY value. |
| IS_OBJECT | Returns True if the input contains an OBJECT value. |
| KEY_EXISTS | Returns True if a JSON object key exists, regardless of whether it maps to a null, an object, or an array. |
| LEFT | Returns the leftmost substring of the input. |
| LENGTH | Returns the number of characters in the input. |
| LOWER | Returns the input as all lowercase characters. |
| LTRIM | Removes leading characters from the input, including whitespace. |
| MINUTE_PART | Returns the minute (number 0 to 59) from a timestamp. |
| MONTH_PART | Returns the month (number 1 to 12) from a timestamp. |
| MS_TO_TIMESTAMP | Converts a number representing milliseconds from epoch into the equivalent timestamp. |
| QUARTER_PART | Returns the quarter (number 1 to 4) from a timestamp. |
| RIGHT | Returns the rightmost substring of the input. |
| RTRIM | Removes trailing characters from the input, including whitespace. |
| SECOND_PART | Returns the second (number 0 and 59) from a timestamp. |
| SEC_TO_TIMESTAMP | Converts a number representing seconds from epoch into the equivalent timestamp. |
| STARTS_WITH | Returns True if a string starts with a specified string. |
| SUBSTRING | Returns a portion of a string, starting from a specified position. |
| TO_BOOLEAN | Converts the input to a Boolean value. |
| TO_DOUBLE | Converts the input to a double-precision floating-point number. |
| TO_TIMESTAMP | Converts a string-valued timestamp expression into the equivalent timestamp. |
| TRIM | Removes leading and trailing characters from a string. |
| UPPER | Returns the input as all uppercase characters. |
| VALUE_EXISTS | Returns True if a JSON object key has a non-null value. |
| YEAR_PART | Returns the year (any valid year) from a timestamp. |
ABS ( n )
Arguments
n: A number.
Returns the absolute value of n.
ADD_DAYS ( n, timestamp )
Arguments
n: The number of days to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n days to timestamp.
ADD_HOURS ( n, timestamp )
Arguments
n: The number of hours to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n hours to timestamp.
ADD_MILLIS ( n, timestamp )
Arguments
n: The number of milliseconds to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n milliseconds to timestamp.
ADD_MINUTES ( n, timestamp )
Arguments
n: The number of minutes to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n minutes to timestamp.
ADD_MONTHS ( n, timestamp )
Arguments
n: The number of months to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n months to timestamp.
ADD_SECONDS ( n, timestamp )
Arguments
n: The number of seconds to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n seconds to timestamp.
ADD_YEARS ( n, timestamp )
Arguments
n: The number of years to add. Can be positive or negative.timestamp: The timestamp to add to. If this is provided as a JSON string field, the string is automatically converted to a timestamp.
Adds n years to timestamp.
ANY_IN_ARRAY ( array, val1 [, ... valN] )
Arguments
array: Array (in a JSON object) to search in.val1...valN: Value(s) to find in the array. (May be literals, column references, any derived values, orNULL)
Returns True if the array argument is an array in JSON and at least one of the provided values is contained in it. Returns False otherwise.
CHAR_INDEX ( searchfor, searchin )
CHAR_INDEX ( searchfor, searchin, start )
Arguments
searchfor: The string to search for.searchin: The string to search in.start: A number that represents the starting position of the search. 1 represents the start ofsearchin.
Searches for the first time searchfor occurs in searchin. If successful, returns the position of searchfor in searchin. The start position is optional.
COALESCE ( arg1, arg2, ... )
Arguments
argn: The arguments to coalesce. All arguments must have the same data type.
Returns the first non-null expression among its arguments. Returns null if all arguments are null.
CONTAINS ( searchin, searchfor )
Arguments
searchin: The string to search in.searchfor: The string to search for.
Returns True if searchin contains searchfor.
CURRENT_TIMESTAMP ( ) DEPRECATED
Returns the current timestamp.
This function is deprecated and might be removed in a future release.
CURRENT_TIMESTAMP_MS ( )
Returns the current timestamp as UTC epoch milliseconds (number of milliseconds since Jan 01, 1970 in the UTC timezone). Note that this function returns a number, not a timestamp.
CURRENT_TIMESTAMP_SEC ( )
Returns the current timestamp as UTC epoch seconds (number of seconds since Jan 01, 1970 in the UTC timezone). Note that this function returns a number, not a timestamp.
DAY_OF_MONTH ( timestamp )
Arguments
timestamp: The timestamp to extract the day from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the day of the month (number 1 to 31) from timestamp.
DAY_OF_WEEK ( timestamp )
Arguments
timestamp: The timestamp to extract the day from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the day of the month (number 1 to 7) from timestamp.
DAY_OF_YEAR ( timestamp )
Arguments
timestamp: The timestamp to extract the day from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the day of the month (number 1 to 366) from timestamp.
DAY_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the day from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the day of the month (number 1 to 31) from timestamp.
DIFF_DAYS ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of days between from and to as an integer.
DIFF_HOURS ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of hours between from and to as an integer.
DIFF_MINUTES ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of minutes between from and to as an integer.
DIFF_MILLIS ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of milliseconds between from and to as an integer.
DIFF_MONTHS ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of months between from and to as an integer.
DIFF_SECONDS ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of seconds between from and to as an integer.
DIFF_YEARS ( from, to )
Arguments
from: Starting timestamp.to: Ending timestamp.
Returns the number of years between from and to as an integer.
ENDS_WITH ( string1, string2 )
Arguments
string1: The string to evaluate.string2: The ending string.
Returns True if string1 ends with string2.
EPOCH_MS ( timestamp )
Arguments
timestamp: The timestamp from which to extract milliseconds from epoch. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns a number that is milliseconds from epoch from timestamp.
EPOCH_SEC ( timestamp )
Arguments
timestamp: The timestamp from which to extract seconds from epoch. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns a number that is seconds from epoch from timestamp.
HOUR_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the hour from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the hour (number 0 to 23) from timestamp.
IS_ARRAY ( arg )
Arguments
arg: The argument to evaluate.
Returns True if arg contains an ARRAY value.
IS_OBJECT ( arg )
Arguments
arg: The argument to evaluate.
Returns True if arg contains an OBJECT value.
KEY_EXISTS ( key::JSON )
Arguments
key::JSON: Where key is the key to evaluate.
Returns True if the JSON object key exists, regardless of whether it maps to a null, an object, or an array.
LEFT ( string, n )
Arguments
string: The string to evaluate.n: The number of characters.
Returns the leftmost substring (n characters) of string.
LENGTH ( string )
Arguments
string: The string to evaluate.
Returns the number of characters in string.
LOWER ( string )
Arguments
string: The string to change.
Returns string as all lowercase characters.
LTRIM ( string )
Arguments
string: The string to trim.
Removes leading characters from string, including whitespace.
MS_TO_TIMESTAMP ( n )
Arguments
n: The number to convert totimestamp.
Converts a number representing UTC epoch milliseconds (number of milliseconds since Jan 01, 1970 in the UTC timezone) into TIMESTAMP.
MINUTE_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the minute from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the minute (number 0 to 59) from TIMESTAMP.
MONTH_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the month from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the month (number 1 to 12) from TIMESTAMP.
QUARTER_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the quarter from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the quarter (number 1 to 4) from timestamp.
RIGHT ( string, n )
Arguments
string: The string to evaluate.n: The number of characters.
Returns the rightmost substring (n characters) of string.
RTRIM ( string )
Arguments
string: The string to trim.
Removes trailing characters from string, including whitespace.
SEC_TO_TIMESTAMP ( n )
Arguments
n: The number to convert to TIMESTAMP.
Converts a number representing UTC epoch seconds (number of seconds since Jan 01, 1970 in the UTC timezone) into TIMESTAMP.
SECOND_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the second from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the second (number 0 to 59) from TIMESTAMP.
STARTS_WITH ( string1, string2 )
Arguments
string1: The string to evaluate.string2: The starting string.
Returns True if string1 starts with string2.
SUBSTRING ( string, start )
SUBSTRING ( string, start, length )
Arguments
string: The string to evaluate.start: The starting position.length: The length limit of the returned string portion.
Returns a portion of string, starting from start. Limiting by length is optional.
TO_TIMESTAMP ( string )
Arguments
string: The string to convert totimestamp.
Converts a string expression of a timestamp into a TIMESTAMP.
TO_BOOLEAN ( string )
Arguments
string: The string to convert.
Converts string to a Boolean value.
TO_DOUBLE ( string )
Arguments
string: The string to convert.
Converts string to a double-precision floating-point number.
TRIM ( string )
TRIM ( string, n )
Arguments
string: The string to trim.n: The number of characters to remove from left and right side.
Removes n leading and trailing characters from string. Not specifying n removes all leading and trailing whitespaces.
UPPER ( string )
Arguments
string: The string to change.
Returns string as all uppercase characters.
VALUE_EXISTS ( key::JSON )
Arguments
key::JSON: Where key is the key to evaluate.
Returns True if the JSON object key has a non-null value. VALUE_EXISTS considers empty values such as [], {}, ““ to be actual values.
YEAR_PART ( timestamp )
Arguments
timestamp: The timestamp to extract the year from. This is not automatically converted from a JSON string. If the source of the timestamp is JSON, you must explicitly cast it to TIMESTAMP to convert it.
Returns the year (any valid year) from the timestamp.