Text
Function | Summary |
---|---|
APPEND | Joins two or more pieces of text together. |
BYTESIZE | Counts the number of bytes in a string. |
CAPITALIZE | Makes the first character of text uppercase and converts the remaining characters to lowercase. |
DEFAULT | Allows you to specify a fallback in case a value doesn’t exist. Returns the fallback value if the input is |
DOWNCASE | Makes each character in text lowercase. |
ENDS_WITH | Returns true if the text ends with the suffix |
ESCAPE | Escapes text by replacing characters with escape sequences (e.g. so that the text can be used in a URL) |
ESCAPE_ONCE | Escapes text without changing existing escaped entities. |
ESTIMATED_TOKEN_COUNT | Estimates the number of tokens which would represent the input data when passed to a Claude 3 LLM. The token count is an estimate based on an older Claude tokenizer and will not be an exact match for the tokens used. |
FORCE_ARRAY | If the supplied argument is an array it returns it, otherwise wraps it in an array |
HTML_DECODE | Converts escaped characters in text to HTML syntax characters, e.g. |
HTML_ENCODE | Escapes HTML syntax characters in text, e.g. |
INCLUDES | Returns |
INDEX_OF | Returns the index of the specified term within the provided string or array. With arrays you can provide a LAMBDA as the second argument, and the index of the first matching result it returned. |
IS_BLANK | Returns true if a value is falsy ie. |
IS_EMPTY | Returns true if a value is empty ie. |
IS_PRESENT | Returns true unless blank. The result is false for any of |
LAST_INDEX_OF | Returns the last index of the specified term within the provided string or array. With arrays you provide a LAMBDA as the second argument. |
LEGACY_STRINGIFY | Converts an object parameter to a legacy String representation. |
LEVENSHTEIN_DISTANCE | Compute the Levenshtein distance between two strings. |
LSTRIP | Removes all whitespace (tabs, spaces, and newlines) from the beginning of text. Does not affect spaces between words. |
MATCH | Returns true if text contains the regex expression regex_to_match and false otherwise. |
NEWLINE_TO_BR | Replaces every newline (\n) with an HTML line break (<br>). |
PLURALIZE | Outputs the singular or plural version of text based on the value of a number. |
PREPEND | Adds the specified text to the beginning of the other text. |
REGEX_EXTRACT | Returns an array of all the regex matches on the input text. Optionally, include a string containing Ruby modifiers – e.g. |
REGEX_REPLACE | Replaces every occurrence of a regex match in text with the second argument. |
REMOVE | Removes every occurrence of the specified sub-text from text. |
REMOVE_FIRST | Removes the first occurrence of the specified sub-text from text. |
REPLACE | Replaces every occurrence of the search text with the replacement text. |
REPLACE_FIRST | Replaces the first occurrence of the search text with the replacement text. |
RSTRIP | Removes all whitespace (tabs, spaces, and newlines) from the right side of text. |
SIZE | Returns the number of characters in text or the number of elements in an array. |
SLICE | Returns 1 or |
SPLIT | Divides the input text into an array using the delimiter as a separator |
STARTS_WITH | Returns true if the text begins with the prefix |
STRIP | Removes all whitespace (tabs, spaces, and newlines) from both the left and right side of text. It does not affect spaces between words. |
STRIP_HTML | Removes any HTML tags from text. |
STRIP_NEWLINES | Removes any newline characters (line breaks) from text. |
TEXT | Converts the passed value to text. |
TO_SNAKE_CASE | Turn input text into snake case. |
TRANSLITERATE | Replaces non-ASCII characters with an ASCII approximation, or if none exists, a replacement character: “?”. |
TRUNCATE | Shorten text down to the number of characters passed as a parameter. If the number of characters specified is less than the length of the text, |
TRUNCATEWORDS | Shortens text down to the number of words passed as the argument. If the specified number of words is less than the number of words in the text, |
UPCASE | Makes each character in text uppercase. |
URL_DECODE | Decodes text that has been encoded as a URL or by |
URL_ENCODE | Converts any URL-unsafe characters in the given text into percent-encoded characters. |
UUID | Generates a universally unique identifier (UUID) |
Logic
Function | Summary |
---|---|
AND | Returns |
DEFAULT | Allows you to specify a fallback in case a value doesn’t exist. Returns the fallback value if the input is |
IF | If |
IF_ERROR | If |
IS_BLANK | Returns true if a value is falsy ie. |
IS_PRESENT | Returns true unless blank. The result is false for any of |
NOT | Returns the logical opposite of the supplied param. |
OR | Returns true if any of the arguments are truthy, otherwise returns false. |
Numbers
Function | Summary |
---|---|
ABS | Returns the absolute value of a number. |
ACOS | Computes the arc cosine of x (in radians), returning a number between 0 and π |
ASIN | Computes the arc sine of x (in radians), returning a number between -π/2 and π/2 |
AT_LEAST | Limits a number to a minimum value. |
AT_MOST | Limits a number to a maximum value. |
AVERAGE | Returns the average (mean) numeric value. Can either be called with a single argument which must be an array or multiple numeric arguments. |
CEIL | Rounds the input up to the nearest whole number. |
COS | Computes the cosine of x (in radians), returning a number between -1 and 1 |
DIVIDED_BY | Divides a number by the specified number. |
ESTIMATED_TOKEN_COUNT | Estimates the number of tokens which would represent the input data when passed to a Claude 3 LLM. The token count is an estimate based on an older Claude tokenizer and will not be an exact match for the tokens used. |
FLOOR | Rounds a number down to the nearest whole number. |
IS_BLANK | Returns true if a value is falsy ie. |
IS_PRESENT | Returns true unless blank. The result is false for any of |
MAX | Returns the argument with the highest numeric value. Can either be called with a single argument which must be an array or multiple arguments |
MIN | Returns the argument with the lowest numeric value. Can either be called with a single argument which must be an array or multiple arguments. |
MINUS | Subtracts a number from another number. |
MODULO | Returns the remainder of a division operation. |
NUMBER | Converts the passed value to a number. |
PLUS | Adds a number to another number. |
RANDOM | Returns a random number in the range specified. |
ROUND | Rounds an input number to the nearest whole number or, if precision is specified, to that number of decimal places. |
SIN | Computes the sine of x (in radians), returning a number between -π/2 and π/2 |
SQRT | Computes the square root of a given number |
SUM | Sums the elements in an array of numbers. |
TIMES | Multiplies a number by another number. |
Arrays
Function | Summary |
---|---|
ARRAY | Returns an Array with each of the arguments as a member. |
CHUNK_ARRAY | Chunks an array into arrays with chunk_size elements. The last chunk may contain less than chunk_size elements. |
COMPACT | Removes any |
CONCAT | Concatenates (joins together) two or more arrays. |
COUNTIF | Returns the count of all elements in an array that are equal to the comparison argument. |
DEFAULT | Allows you to specify a fallback in case a value doesn’t exist. Returns the fallback value if the input is |
DELETE | Deletes an item from an array at a given index and returns the array minus that deleted value. |
DIFFERENCE | Returns an array of items that appear in the first array but not in the second array |
ESTIMATED_TOKEN_COUNT | Estimates the number of tokens which would represent the input data when passed to a Claude 3 LLM. The token count is an estimate based on an older Claude tokenizer and will not be an exact match for the tokens used. |
FILTER | Filters an array or an object by a lambda function or an array of values to keep. If the target is an array, the lambda must take one argument: the value. If the target is an object, the lambda can take one or two arguments. If the lambda takes one argument, the argument is the value. If the lambda takes two arguments, the first argument is the key and the second argument is the value. |
FIND | Returns the first element in the array for which the lambda returns true. |
FIRST | Returns the first element of an array. |
FLATTEN | Turn nested arrays into a single 1 dimensional array |
INCLUDES | Returns |
INDEX_OF | Returns the index of the specified term within the provided string or array. With arrays you can provide a LAMBDA as the second argument, and the index of the first matching result it returned. |
INSERT | Inserts an item into an array at a given index. |
INTERSECTION | Returns the intersection between two arrays. |
IS_BLANK | Returns true if a value is falsy ie. |
IS_EMPTY | Returns true if a value is empty ie. |
IS_PRESENT | Returns true unless blank. The result is false for any of |
JOIN | Combines the elements in an array into a single text value using the argument as a separator. |
LAST | Returns the last element of an array. |
LAST_INDEX_OF | Returns the last index of the specified term within the provided string or array. With arrays you provide a LAMBDA as the second argument. |
MAP | Creates an array by extracting the values of a given key or path from an array of objects. If a property name has spaces, wrap it in square brackets and double quotes. |
PUSH | Adds one or more items to the end of an array. |
RANDOM_ELEMENT | Select a random element from an array. |
RANGE | Returns an array of numbers with the first value equal to |
REJECT | Rejects items from an array or an object by a lambda function or an array of values to remove. If the target is an array, the lambda must take one argument: the value. If the target is an object, the lambda can take one or two arguments. If the lambda takes one argument, the argument is the value. If the lambda takes two arguments, the first argument is the key and the second argument is the value. |
REVERSE | Reverses the order of the elements in an array. |
ROTATE | Rotates the elements in an array by any number of steps. |
SHUFFLE | Shuffles all the elements in an array |
SIZE | Returns the number of characters in text or the number of elements in an array. |
SLICE_ARRAY | Returns the remainder of the array (or |
SORT | Sorts elements in an array by a property of an element in the array (case-sensitive). Pass a dot-separated path to sort by nested keys. |
SORT_NATURAL | Sorts elements in an array by a property of an element in the array (case-insensitive). Pass a dot-separated path to sort by nested keys. |
SUM | Sums the elements in an array of numbers. |
TALLY | Counts the occurrences of each unique element within an array, accounting for case sensitivity. |
UNION | This function merges two arrays. These arrays can either be within the same Event or from two distinct Actions. The function requires that the inputs be arrays, although it can also process an array nested within an object, as long as it directly references the array. The order of the merged array is determined by the sequence in which the paths are listed. |
UNIQ | Removes any duplicate elements in an array. |
WHERE | Takes an array of objects, a path and a value (optional). The path can be a single key or a dot-separated series of keys. Returns a new array containing only the objects where the value at the key/path matches the provided value. If value is not provided, it returns an array containing only the objects where the value at the key/path is present. If you try to pass NULL in for value, it will be treated as not provided, so you cannot use this function to check for NULL values. Instead, you can use FILTER to find NULL values like so:
|
Objects
Function | Summary |
---|---|
DEEP_MERGE | Creates a new object by recursively merging two or more objects together. Where there are key collisions that last value is used. |
ESTIMATED_TOKEN_COUNT | Estimates the number of tokens which would represent the input data when passed to a Claude 3 LLM. The token count is an estimate based on an older Claude tokenizer and will not be an exact match for the tokens used. |
FILTER | Filters an array or an object by a lambda function or an array of values to keep. If the target is an array, the lambda must take one argument: the value. If the target is an object, the lambda can take one or two arguments. If the lambda takes one argument, the argument is the value. If the lambda takes two arguments, the first argument is the key and the second argument is the value. |
FLATTEN_JSON | Flattens nested JSON into a new object with a single layer of key/value pairs. Default key separator is a period or full stop ( |
GET | Get the value in object at the specified key or path. If a property name has spaces, wrap it in square brackets and quotes. |
INCLUDES | Returns |
IS_BLANK | Returns true if a value is falsy ie. |
IS_EMPTY | Returns true if a value is empty ie. |
IS_PRESENT | Returns true unless blank. The result is false for any of |
IS_VALID_JSON_SCHEMA | Returns true if the object provided matches the provided json schema, using the https://json-schema.org/ syntax. |
JSONPATH | Evaluates objects using JSONPath expressions. JSONPath expressions support wildcards, filters, and slices. See JSONPath or the Online Evaluator for more information. More examples of how to use JSONPATH can be seen in our Story Library |
JSON_SCHEMA_VALIDATE | Returns a validation error message if the object provided does not match the provided json schema, using the https://json-schema.org/ syntax or an empty string otherwise. |
KEYS | Returns an array of keys present in the object. |
MERGE | Creates a new object by merging two or more objects together. |
OBJECT | Returns an object with keys and values as specified. |
REJECT | Rejects items from an array or an object by a lambda function or an array of values to remove. If the target is an array, the lambda must take one argument: the value. If the target is an object, the lambda can take one or two arguments. If the lambda takes one argument, the argument is the value. If the lambda takes two arguments, the first argument is the key and the second argument is the value. |
REMOVE_KEY | Removes the specified key from an object. Path is a dot separated path to the object, you can escape dots using backslash |
SET_KEY | Sets an object key to a value. If the key already exists, it will be overwritten. Nested keys can be specified using dot notation. |
UNFLATTEN_JSON | Transforms a single layer of key/value pairs into a nested JSON structure. Default key separator is a period or full stop ( |
VALUES | Returns all the values of an object. |
WHERE | Takes an array of objects, a path and a value (optional). The path can be a single key or a dot-separated series of keys. Returns a new array containing only the objects where the value at the key/path matches the provided value. If value is not provided, it returns an array containing only the objects where the value at the key/path is present. If you try to pass NULL in for value, it will be treated as not provided, so you cannot use this function to check for NULL values. Instead, you can use FILTER to find NULL values like so:
|
Dates/Times
Function | Summary |
---|---|
DATE | Takes a date, represented by a string, an integer, or a DATE_PARSE object, and returns a formatted string representation. The output format is defined in ruby strftime (Time) syntax. Optionally, the output timezone can be specified with values from the tz database. Natural language parsing is handled by chronic. When it receives ambiguous dates, ie "01/02/2023", it will default to the EU format (DD/MM/YYYY). Combine with DATE_PARSE to explicitly define the format. |
DATE_DIFF | Returns the precise difference between two given times in terms of years, months, weeks, days, hours, minutes, and seconds. It handles differences across time zones, accounts for leap years, considers months with varying days, and presents both the unit and cumulative differences. When the start time is after the end time the result is returned with absolute values. |
DATE_PARSE | Parses a date and returns an object representation. Fields include the iso8601 and unix timestamp representations and numerical breakdowns. Useful for parsing dates that would be otherwise ambiguous, like 01/02/2023, before passing them to DATE to be formatted. The date is parsed based on the format string, which uses the ruby strptime (Time) syntax. If format is omitted, DATE_PARSE attempts to guess the format. Optionally, the timezone can be specified with values from the tz database. Natural language parsing is handled by chronic. |
DAY | Returns the day of the month for the specified date. Accepted Format: year-month-day (year/month/day) |
DISTANCE_OF_TIME_IN_WORDS | Returns the distance between two times in words for the provided date/time. Defaults to the current time if "from" is unspecified. Distances for seconds below 1 minute and 29 seconds are reported based on the following table: 0-4 secs # => less than 5 seconds 5-9 secs # => less than 10 seconds 10-19 secs # => less than 20 seconds 20-39 secs # => half a minute 40-59 secs # => less than a minute 60-89 secs # => 1 minute |
HOUR | Returns the hour of the day for the specified date. Accepted Formats: T17:49:01+0000, 17:49:01, or 2022-03-19T17:49:01+0000 |
MINUTE | Returns the minute of the hour for the specified date. Accepted Formats: T17:49:01+0000, 17:49:01, or 2022-03-19T17:49:01+0000 |
MONTH | Returns the month of the year for the specified date. Accepted Format: year-month-day (year/month/day) |
NOW | Returns the current date and time. |
SECOND | Returns the second of the minute for the specified date. |
TODAY | Returns the current date |
UNIX_TIMESTAMP | Returns the current unix timestamp, i.e. the number of seconds since midnight on 1 January 1970 |
YEAR | Returns the year for the specified date. |
Hashing/Signing
Function | Summary |
---|---|
AES_DECRYPT | Decrypts text using AES The input must be AES-256-CBC Base64 encoded or be the direct output of AES_ENCRYPT. An initialization vector can optionally be passed as a third argument. |
AES_ENCRYPT | Encrypts text using AES The output is encoded with character set "[A-Za-z0-9+/=.]" (base64 + '.'). An initialization vector can optionally be passed as a third argument. The mode should be set to "aead" for additional security. When the mode is "aead" you can also set expires_in, which defines the number of seconds before the ciphertext will be rejected by AES_DECRYPT. Note, the secret key must be 32 characters long. |
GENERATE_RSA_KEYS | Generates a pair of public and private keys using the RSA encryption algorithm. The key size can be either 2048 or 4096, and the default is 2048. |
HMAC_SHA1 | Converts text into a SHA-1 hash using a hash message authentication code (HMAC). |
HMAC_SHA1_BASE64 | Converts text into a Base64 encoded SHA-1 hash using a hash message authentication code (HMAC). |
HMAC_SHA256 | Converts text into a SHA-256 hash using a hash message authentication code (HMAC). |
HMAC_SHA256_BASE64 | Converts text into a Base64 encoded SHA-256 hash using a hash message authentication code (HMAC). |
JWT_SIGN | Creates a JSON Web Token from the input claim set using either RS256 (default), HS256 or ES256. |
MD5 | Calculates the hex encoded MD5 hash of some text. |
MD5_BASE64 | Calculates the Base64 encoded MD5 hash of text. |
RSA_AES_HYBRID_DECRYPT | Decrypts data that was encrypted with |
RSA_AES_HYBRID_ENCRYPT | Encrypts data of arbitrary length using a provided public or private RSA key, in a hybrid cryptosystem internally using AES. A padding choosing from "PKCS1_PADDING", "PKCS1_OAEP_PADDING" and "SSLV23_PADDING" can be passed in with "PKCS1_PADDING" being the default. |
RSA_DECRYPT | Decrypts encrypted data using a public or private key. A padding choosing from "PKCS1_PADDING", "PKCS1_OAEP_PADDING" and "SSLV23_PADDING" can be passed in with "PKCS1_PADDING" being the default. |
RSA_ENCRYPT | Encrypts data using a public or private key. A padding choosing from "PKCS1_PADDING", "PKCS1_OAEP_PADDING" and "SSLV23_PADDING" can be passed in with "PKCS1_PADDING" being the default. |
SHA1 | Calculates the sha1 hash of text. |
SHA256 | Calculates the sha256 hash of text, expressed in hex. |
SHA256_BASE64 | Calculates the sha256 hash of the text, expressed in base64. |
SHA512 | Calculates the sha512 hash of text. |
ZSCALER_OBFUSCATE_API_KEY | Obfuscates a Zscaler API key using the function described in the Zscaler API documentation. For the "now" argument provide the current time in milliseconds since the epoch with DATE(NOW(), "%s%L"). |
Data Parsing/Conversion
Function | Summary |
---|---|
BASE64URL_DECODE | Decode URL-safe Base64 encoded text. |
BASE64URL_ENCODE | Encode text to URL-safe Base64 encoded text. |
BASE64_DECODE | Decode Base64 encoded text. |
BASE64_ENCODE | Encode text using the Base64 encoding algorithm. |
COMBINE_COLUMNS_AND_ROWS | Combines labeled columnar data into a list of objects. Useful for processing data returned from APIs like Snowflake, Databricks, or Google Sheets. |
CSV_PARSE | Parses CSV-formatted text with auto-detection of the delimiter character and parses output into an array of arrays. |
CSV_PARSE_TO_OBJECTS | Parses CSV-formatted text with auto-detection of the delimiter character and parses output into an array of objects. |
EML_PARSE | Takes text containing EML (RFC822) content and parses out information such as |
GUNZIP | Decompresses from a gzip. If there are multiple files in the archive the results are concatenated. |
GZIP | Compresses a single file with gzip |
HCL_PARSE | Parses Hashicorp Configuration Language (HCL) text |
HEX_PARSE | Converts hexadecimal text into the text or data it represents |
JSON_PARSE | Parses escaped JSON text. If used in a formula field, it will return a JSON object; if used inside a text field it will return unescaped JSON text. |
LDIF_PARSE | Parse text from a LDAP Data Interchange Format (LDIF) file into an object |
MIME_HEADER_DECODE | Decodes email header fields encoded in accordance with RFC 2047. |
MSG_PARSE | Takes the contents of an .msg file (Outlook item/email) and parses out information such as By default headers are truncated on newline characters. To parse full headers set the extract_multiline_headers optional parameter to TRUE Output is consistent with |
NEAT_JSON | Formats and "pretty prints" an object in JSON. |
OBJECTS_TO_CSV | Parses an array of objects with the same keys into CSV-formatted text. Headers are optional, if none are provided the keys of the first object are used. |
PARSE_URL | Returns an object that representing the parsed url |
TAR | Creates a tarball for a list of files |
TO_CSV | Convert an array of arrays into CSV-formatted text. |
TO_HEX | Converts text or data into hexadecimal text. |
TO_JSON | Convert an object into JSON text. |
TO_XML | Converts an object into XML, root element name is optional. |
TO_YAML | Converts an object into YAML |
UNTAR | Extracts a list of files from a tarball. |
UNZIP | Extracts files from a ZIP archive. |
XML_PARSE | Takes text containing XML and parses to an object |
YAML_PARSE | Takes text containing YAML and parses to an object |
ZIP | Creates a ZIP archive containing a given file or files. If the optional password parameter is present then the archive will be password protected. The function can also accept an array of file objects as its first argument. The file object must contain either contents or base64encoded contents, a file name and optionally can specify the created_at date in ISO8601 format. If the output of the ZIP function is being included in event data, it should be wrapped in the BASE64_ENCODE function to avoid errors - e.g. |
IP Addresses
Function | Summary |
---|---|
IN_CIDR | Checks if an IP address is in a given CIDR block. |
IS_IPV4 | Checks if a text value is a valid IPV4 address. |
IS_IPV6 | Checks if a text value is a valid IPV6 address. |
IS_IP_ADDRESS | Checks if a text value is a valid IP address |
Lambdas
Function | Summary |
---|---|
COUNTIF | Returns the count of all elements in an array that are equal to the comparison argument. |
FILTER | Filters an array or an object by a lambda function or an array of values to keep. If the target is an array, the lambda must take one argument: the value. If the target is an object, the lambda can take one or two arguments. If the lambda takes one argument, the argument is the value. If the lambda takes two arguments, the first argument is the key and the second argument is the value. |
FIND | Returns the first element in the array for which the lambda returns true. |
LAMBDA | Creates a custom, reusable function. The last argument is the calculation you want to perform, all previous arguments are the parameters for this calculation |
MAP_LAMBDA | Return an array that is the result of calling lambda with each element of the input array. |
REDUCE | Iterates over elements in an array, applying a specified lambda function to accumulate a result. This function takes 3 arguments
|
REJECT | Rejects items from an array or an object by a lambda function or an array of values to remove. If the target is an array, the lambda must take one argument: the value. If the target is an object, the lambda can take one or two arguments. If the lambda takes one argument, the argument is the value. If the lambda takes two arguments, the first argument is the key and the second argument is the value. |
Story Metadata
Function | Summary |
---|---|
PROMPT | Emit a URL that when visited will cause the current action to emit a new event. Text is optional, if provided will be available in the status field of the emitted event. Prompt docs |
STORY_RUN_GUID | Returns the GUID of the currently executing story run. |
STORY_RUN_LINK | Returns a link to the currently executing story run. Mode can be set to "action" to return a link to the action with events filtered by story run. |
WORKBENCH_LINK | Produces a URL that when visited will load the incoming event data in Workbench for a user, so long as they have permission to see the event. |
Other
Function | Summary |
---|---|
TYPE | Outputs the type (class) of the specified value. |
Strings
Function | Summary |
---|---|
IS_EMAIL | Checks if a text value follows the email standard. This not guarantee that it's a valid email. |
IS_IPV4 | Checks if a text value is a valid IPV4 address. |
IS_IPV6 | Checks if a text value is a valid IPV6 address. |
IS_JSON | Checks if a text value is valid JSON. |
IS_URL | Checks if a text value follows the url standard. This not guarantee that it's a valid url. |
IS_XML | Checks if a text value is valid XML. |
IS_YAML | Checks if a text value is valid YAML. |
RANDOM_STRING | Returns a string of random characters. The function takes three optional arguments: length, mode, and custom. length determines the length of the string (default 16). mode determines the type of characters in the string. The options are "alphanumeric", "custom", "hex", "letters", "numbers" (default "alphanumeric"). The custom_characters argument is only used when mode is set to "custom". It is a string of characters that will be used to generate the random string. |