Skip to main content

Field Expressions

The Sumo Logic Query Language can be used to create fields based on calculated expressions, such as:

| 3 + 2 as val
| "Hello, world" as welcome
| 34 % 10 as remainder

Expressions are created by literal values, field names, or search query language operators acting as functions, such as concat() or pow(). Fields created in this way appear in results as virtual columns with the same value on each row, and they can be used in where and other clauses.

Expressions can be used to create fields that are Numeric, Boolean, or String values.

Numeric Expressions

Numbers can be calculated using combinations of addition, subtraction, multiplication, division, modulo, and unary negation. Operators like "+" or "/" can be applied to numeric literals, numeric fields, operators that act as numeric functions (such as abs() or pow()), or nested numeric expressions. For more information about numeric functions, see Math Expressions.

Numeric Literals

In our Query Language, a number, or numeric literal, is a set of digits containing no spaces, with an optional decimal point. Commas are not allowed, and leading and trailing zeros are ignored.  We also allow scientific notation using "e+" or "e-" to divide the number from the exponent. Here are some examples of simple numeric literals:

| 537 as a
| 3.14e+4 as bigpi
| -42.300 as b

It is worth noting that a leading "-" is a unary negation and is treated formally like a "+" or "/" operator.

Numeric literals may optionally end with a suffix. There are two available types: size and time.

Size suffix 

This is a shorthand way to express scalar numeric values multiplied by common factors. Some examples of size suffixes:

| 2k as twoThousand
| 1B as oneBillion
| 1.5M as onePointFiveMillion
| sizeBytes / 1Gi as sizeInGiB
| sizeInKiB * (1Ki / 1Mi) as sizeInMiB

The list of supported suffixes, and the factor by which they multiply the numeric value, is below. Suffixes are case-sensitive. Both SI-style (1000-based) and ISO/IEC 80000-style (1024-based) suffixes are supported.

SuffixFactorSuffixFactor
K or k1000Ki1024
M1000000Mi1048576
G or B1000000000Gi1073741824
T1000000000000Ti1099511627776
P1000000000000000Pi1125899906842624

These suffixes are also supported in Cloud SIEM rules. See Sumo Logic core platform literals supported in Cloud SIEM.

Time suffix

This is used to represent units of time. The base unit of time returned is the millisecond. For example, 1.5s would be returned as 1,500. One and a half seconds converted to the base unit of milliseconds. Some examples of time suffixes:

| 1w as oneWeek
| 1m as oneMinute
| 1.5s as oneAndAHalfSeconds
| 1d as day
| 1h as hour

The following time suffixes are supported:

SuffixTime
nsNanosecond
usMicrosecond
msMillisecond
sSecond
mMinute
hHour
dDay
wWeek

These suffixes are also supported in Cloud SIEM rules. See Sumo Logic core platform literals supported in Cloud SIEM.

Arithmetic Operators

Numeric expressions are evaluated using the usual precedence rules: parentheses, multiplication, and division, then addition and subtraction. Equal precedence is evaluated left to right. Here are some examples:

| 537 + 435 as value
| 52 * 6 - 2 as noparen // 310, not 208
| 52 * (6 - 2) as paren // 208, not 310
| 15 - -5 as sq
| 334 % 10 as remainder

An expression can involve a series of operations. 

| 537 + 435 + 39 + 18.5 as value
| 22 - (34 % 10) * pow(2, 3) as value

Dates are not recognized. The string 2015-03-15 is not a date, it is 1,997. And 3/15/2015 is not a date, it is 9.92556e-1. There is no way to express a literal date in the query language.

The modulus operator "%" produces the remainder of a division. For example, 44 % 10 = 4, because 44 / 10 is 4, remainder 1. 39 % 3 = 0 because 39 / 3 is 13 with no remainder. The expression n % 2 = 0 is true for all even numbers.

Use the pow operator to calculate an exponent. The operator "^" is not recognized by the query language. To raise 2 to the power of 8, instead of writing 2^8, use: pow(2, 8). If the base is 10, you can use scientific notation: pow(10, 3) == 1.0e+3.

Boolean Expressions

Boolean expressions, those that evaluate to true or false, can be assigned to fields as well. The words “true” and “false” act as if they were reserved. Use the "!" to mean boolean “not.” Examples:

| true as yes
| false as locked
| !false as a // sets a to true

Comparison Operators

Comparison operators include equals ("=" or "=="), >", "<", ">=", "<=", "<\>" (or "!=") and produce Boolean values. Examples:

| x = 2 as duo            // same as x == 2 as duo
| y >= 49 as older
| field <> 0 as nonzero
| !(2 == field) as value // value is true if 'field' is not 2

Remember that x = y is a Boolean expression, not an assignment. The expression is true if x equals y, and otherwise false. String comparisons are case sensitive. To assign the value of y to a variable named x, use this syntax: y as x.

String Expressions and Quotes

Characters quoted with double quotes (not single quotes) are string literals. Use a backslash to escape double quotes in the string. Examples:

| "Don’t forget" as reminder
| "They said, \"No later than 10\"" as response
| "Hello, \"Sue,\" if that is your name" as greeting
| concat("Hello, ", "world") as welcome

Use string functions, such as concat(), to combine strings. There are no string operators like "+" or ".". The format() operator can create string fields in a specified format. Use substring() to extract portions of a string.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.