Scalar Functions
Introduction to Scalar Functions
Scalar function overview and categories
Scalar functions take one or more values and return a single value. Use them in project, extend, and where expressions to transform or compute values per row:
logs
| extend hour = hourofday(timestamp), msg = tolower(body)
| where strlen(msg) > 100For a full introduction to writing queries, see Writing Queries.
String Functions
| Function | Description |
|---|---|
| contains | Indicate whether a string contains another string (case-insensitive). |
| contains_cs | Indicate whether a string contains another string (case-sensitive). |
| countof | Counts occurrences of a substring in a string. |
| endswith | Indicate whether a string ends with another string (case-insensitive). |
| endswith_cs | Indicate whether a string ends with another string (case-sensitive). |
| extract | Extracts a match for a regular expression from a string. |
| extract_all | Extracts all matches for a regular expression from a string. |
| has | Indicate whether a string contains a whole word (case-insensitive, word boundary matching). |
| has_any_index | Returns the index of the first matching value in the source string. |
| has_cs | Indicate whether a string contains a whole word (case-sensitive, word boundary matching). |
| hasprefix | Indicate whether a string starts with a word prefix (case-insensitive, word boundary matching). |
| hasprefix_cs | Indicate whether a string starts with a word prefix (case-sensitive, word boundary matching). |
| hassuffix | Indicate whether a string ends with a word suffix (case-insensitive, word boundary matching). |
| hassuffix_cs | Indicate whether a string ends with a word suffix (case-sensitive, word boundary matching). |
| indexof | Returns the zero-based index of the first occurrence of a substring. |
| matches regex | Returns true if the string matches the regular expression pattern. |
| parse_command_line | Tokenize a command-line string into a dynamic array of arguments. |
| parse_url | Parses a URL string and returns a dynamic object with URL components. |
| parse_urlquery | Parses a URL query string and returns a dynamic object. |
| parse_version | Converts a version string to a comparable decimal number. |
| punycode_from_string | Encode a Unicode string into Punycode (the ACE form defined in RFC 3492). |
| punycode_to_string | Decode a Punycode (RFC 3492 ACE) string back to its Unicode form. |
| replace_regex | Replaces all regex matches with another string. |
| replace_string | Replaces all occurrences of a string with another string. |
| replace_strings | Replaces multiple string pairs in the source. |
| reverse | Reverses the input string. |
| split | Splits a string by a delimiter and returns an array. |
| startswith | Indicate whether a string starts with another string (case-insensitive). |
| startswith_cs | Indicate whether a string starts with another string (case-sensitive). |
| strcat | Concatenates between 1 and 64 arguments. |
| strcat_array | Concatenates array elements into a string using the specified delimiter. |
| strcat_delim | Concatenates strings with a delimiter. |
| strcmp | Compares two strings and returns -1, 0, or 1. |
| strlen | Returns the length of the input string in characters. |
| strrep | Repeats a string a specified number of times. |
| substring | Extracts a substring from the source string starting at the specified position. |
| tolower | Converts a string to lower case. |
| toupper | Converts a string to upper case. |
| translate | Replaces characters in a string based on character mapping. |
| trim | Removes leading and trailing match of the specified regex from the source string. |
| trim_end | Removes trailing match of the specified regex from the source string. |
| trim_start | Removes leading match of the specified regex from the source string. |
| url_decode | URL-decodes a string. |
| url_encode | URL-encodes a string. |
Date & Time Functions
| Function | Description |
|---|---|
| ago | Subtracts the given timespan from the current query timestamp. |
| datetime_add | Adds a specified amount to a datetime value. |
| datetime_diff | Returns the difference between two datetime values. |
| datetime_local_to_utc | Converts a local datetime to UTC. |
| datetime_part | Extracts the specified part from a datetime value. |
| datetime_utc_to_local | Converts a UTC datetime to local time. |
| dayofmonth | Extracts the day of month (1-31) from a datetime value. |
| dayofweek | Returns the timespan since the preceding Sunday. |
| dayofyear | Extracts the day of year (1-366) from a datetime value. |
| endofday | Returns the end of the day for the given datetime. |
| endofmonth | Returns the end of the month for the given datetime. |
| endofweek | Returns the end of the week for the given datetime. |
| endofyear | Returns the end of the year for the given datetime. |
| format_datetime | Formats a datetime value as a string. |
| format_timespan | Formats a timespan value as a string. |
| getyear | Extracts the year from a datetime value. |
| hourofday | Extracts the hour (0-23) from a datetime value. |
| ingestion_time | Return the ingestion timestamp of the current row, as recorded by the nursery in the synthetic ingest_time column. |
| make_datetime | Creates a datetime value from components. |
| make_timespan | Creates a timespan value from components. |
| monthofyear | Extracts the month (1-12) from a datetime value. |
| now | Returns the current query timestamp as a datetime value. |
| startofday | Returns the start of the day for the given datetime. |
| startofmonth | Returns the start of the month for the given datetime. |
| startofweek | Returns the start of the week for the given datetime. |
| startofyear | Returns the start of the year for the given datetime. |
| todatetime | Convert the input to a datetime. |
| totimespan | Convert the input to a timespan. |
| unixtime_microseconds_todatetime | Converts Unix time in microseconds to a datetime value. |
| unixtime_milliseconds_todatetime | Converts Unix time in milliseconds to a datetime value. |
| unixtime_nanoseconds_todatetime | Converts Unix time in nanoseconds to a datetime value. |
| unixtime_seconds_todatetime | Converts Unix time in seconds to a datetime value. |
| weekofyear | Extracts the ISO week number (1-53) from a datetime value. |
Dynamic / JSON Functions
| Function | Description |
|---|---|
| array_concat | Concatenate dynamic arrays into a single dynamic array. |
| array_iff | Element-wise select between two values based on a boolean-array condition. |
| array_index_of | Return the zero-based index of the first occurrence of lookup in array, optionally starting at start_index. |
| array_length | Return the number of elements in an array. |
| array_reverse | Return a dynamic array with the elements in reverse order. |
| array_rotate_left | Rotate a dynamic array by count positions to the left. |
| array_rotate_right | Rotate a dynamic array by count positions to the right. |
| array_shift_left | Shift the elements of a dynamic array by count positions to the left. |
| array_shift_right | Shift the elements of a dynamic array by count positions to the right. |
| array_slice | Return a contiguous subrange of array between inclusive start and inclusive end indices. |
| array_sort_asc | Sort a dynamic array in ascending order. |
| array_sort_desc | Sort a dynamic array in descending order. |
| array_split | Split a dynamic array at one or more indices. |
| array_sum | Sum the numeric elements of a dynamic array and return a real. |
| bag_has_key | Return true if the property bag contains the given key. |
| bag_keys | Returns an array of all the keys in a property bag (dynamic object). |
| bag_merge | Merge property bags into a single bag using first-wins collision resolution. |
| bag_pack | Create a property bag (dynamic object) from key-value pairs. |
| bag_pack_columns | Create a dynamic property bag whose keys are column names and whose values are the corresponding column values for the current row. |
| bag_remove_keys | Remove specified keys from a property bag. |
| bag_set_key | Return the property bag with the given key set to value, inserting or overwriting. |
| column_ifexists | If a column named column_name exists in the current row set, return its value for the current row; otherwise evaluate and return default. |
| extract_dynamic | Extract a value from a dynamic value using a JSONPath expression. |
| extract_json | Extract a value from a JSON string using a JSONPath expression. |
| jaccard_index | Return the Jaccard similarity |A ∩ B| / |A ∪ B| of two dynamic arrays treated as sets. |
| pack_all | Create a property bag containing all column values. |
| pack_array | Build a dynamic array from the given arguments, in order. |
| parse_json | Parse a JSON string into a dynamic value. |
| range | Generates an array of values in a specified range. |
| repeat | Build a dynamic array by repeating value count times. |
| set_difference | Return the distinct elements of the first dynamic array that are not present in any of the remaining arrays, preserving first-seen order. |
| set_has_element | Return true if value exists in the dynamic array. |
| set_intersect | Return the distinct elements that appear in every dynamic array argument, preserving first-seen order from the first array. |
| set_union | Return the distinct elements from all dynamic-array arguments, preserving first-seen order. |
| treepath | Enumerate the JSON paths (in bracket notation) reachable inside a dynamic value. |
| zip | Zip two or more dynamic arrays element-wise. |
Math Functions
| Function | Description |
|---|---|
| abs | Returns the absolute value of a numeric expression, preserving the input type. |
| acos | Returns the arc cosine of the input (in radians). |
| asin | Returns the arc sine of the input (in radians). |
| atan | Returns the arc tangent of the input (in radians). |
| atan2 | Returns the angle (in radians) between the positive x-axis and the point (x, y). |
| beta_cdf | Regularised incomplete-beta CDF of Beta(α, β) at x. |
| beta_inv | Inverse CDF (quantile) of Beta(α, β) at probability p. |
| beta_pdf | Probability density of Beta(α, β) at x. |
| bin | Round values down to a bin of a given bin size. |
| bin_at | Round values down to a bin of a given size relative to a fixpoint. |
| bin_auto | Automatically bins datetime values into human-friendly intervals based on the query time range. |
| bitset_count_ones | Return the number of set bits in the two's-complement representation of an integer. |
| ceiling | Calculates the smallest integer greater than, or equal to, the specified numeric expression. |
| cos | Returns the cosine of the input angle in radians. |
| cot | Returns the cotangent of the input angle in radians. |
| degrees | Converts radians to degrees. |
| erf | Error function erf(x) = (2/√π) ∫₀ˣ e^{-t²} dt. |
| erfc | Complementary error function erfc(x) = 1 - erf(x). |
| exp | Returns e raised to the power of the numeric expression. |
| exp10 | Returns 10 raised to the power of the numeric expression. |
| exp2 | Returns 2 raised to the power of the numeric expression. |
| floor | Rounds values down to a fixed-size bin. |
| gamma | Gamma function Γ(x). |
| isfinite | Returns whether the input is a finite value (not infinity and not NaN). |
| isinf | Returns whether the input is an infinite value (positive or negative infinity). |
| isnan | Returns whether the input is NaN (Not a Number). |
| log | Returns the natural logarithm of the numeric expression. |
| log10 | Returns the base-10 logarithm of the numeric expression. |
| log2 | Returns the base-2 logarithm of the numeric expression. |
| loggamma | Natural log of the absolute value of the gamma function, equivalent to lgamma(x) in C99. |
| max_of | Return the maximum of 2 to 64 comparable arguments. |
| min_of | Return the minimum of 2 to 64 comparable arguments. |
| pi | Returns the constant value of Pi. |
| pow | Returns the value raised to the specified power. |
| radians | Converts degrees to radians. |
| rand | Return a pseudo-random real. |
| round | Returns the rounded number to the specified precision. |
| sign | Returns the sign of a numeric expression (-1, 0, or 1), preserving the input type. |
| sin | Returns the sine of the input angle in radians. |
| sqrt | Returns the square root of the numeric expression. |
| tan | Returns the tangent of the input angle in radians. |
| welch_test | Two-tailed p-value for the Welch unequal-variances t-test given the mean, variance, and count of each of two samples. |
Type Functions
| Function | Description |
|---|---|
| estimate_data_size | Estimates the data size in bytes for the specified columns. |
| gettype | Return the runtime type of a value as a string. |
| isempty | Returns true if the argument is an empty string or is null. |
| isnotempty | Returns true if the argument is not an empty string and is not null. |
| isnotnull | Returns true if the value is not null. |
| isnull | Returns true if the value is null. |
| new_guid | Returns a random GUID string. |
| to_numeric | Extract numeric value from dynamic or pass through numeric types. |
| tobool | Convert the input to a boolean. |
| todouble | Convert the input to a floating point number. |
| toguid | Validates and normalizes a string as a GUID. |
| tohex | Converts a number to a hexadecimal string. |
| toint | Convert the input to a 32-bit integer. |
| tolong | Convert the input to a 64-bit integer. |
| tostring | Convert the input to a string. |
IP Address Functions
| Function | Description |
|---|---|
| parse_ipv4 | Converts an IPv4 string to a long number. |
| parse_ipv4_mask | Converts an IPv4 string and netmask to a long number. |
| parse_ipv6 | Converts an IPv6 string to a canonical string representation. |
| parse_ipv6_mask | Converts an IPv6 string and netmask to a canonical string representation. |
Encoding Functions
| Function | Description |
|---|---|
| base64_decode_toarray | Decodes a base64 string to an array of long values. |
| base64_decode_toguid | Decodes a base64 string to a GUID. |
| base64_decode_tostring | Decodes a base64 string. |
| base64_encode_fromguid | Encodes a GUID to base64. |
| base64_encode_tostring | Encodes a string to base64. |
Series Functions
| Function | Description |
|---|---|
| series_abs | Calculates the absolute value of each element in a numeric series. |
| series_acos | Apply acos element-wise to a numeric dynamic series. |
| series_add | Element-wise addition of two numeric series. |
| series_asin | Apply asin element-wise to a numeric dynamic series. |
| series_atan | Apply atan element-wise to a numeric dynamic series. |
| series_avg | Returns the average (mean) of all elements in a numeric series, ignoring null values. |
| series_ceiling | Rounds each element up to the nearest integer. |
| series_cos | Apply cos element-wise to a numeric dynamic series. |
| series_cosine_similarity | Cosine similarity (a·b)/(|a|·|b|) of two equal-length numeric series. |
| series_decompose | Decompose a numeric time series into baseline, seasonal, trend, and residual components. |
| series_decompose_anomalies | Detects anomalies in a time series using decomposition and outlier detection. |
| series_decompose_forecast | Extend a numeric time series forward by points samples by decomposing into trend + seasonal components and extrapolating both. |
| series_divide | Element-wise division of two numeric series. |
| series_dot_product | Dot product Σ aᵢ·bᵢ of two equal-length numeric series. |
| series_equals | Element-wise equality comparison of two series. |
| series_exp | Calculates the exponential (e^x) of each element. |
| series_fft | Compute the Fast Fourier Transform of a series. |
| series_fill_backward | Fills missing values in a series by propagating the next valid value backward. |
| series_fill_const | Fills missing values in a series with a constant value. |
| series_fill_forward | Fills missing values in a series by propagating the previous valid value forward. |
| series_fill_linear | Fills missing values in a series using linear interpolation. |
| series_fir | Applies a Finite Impulse Response (FIR) filter to a series. |
| series_fit_2lines | Fit two lines (piecewise linear) to the series. |
| series_fit_2lines_dynamic | Piecewise-linear best fit of a numeric series with change-point search. |
| series_fit_line | Fit a line to the series using linear regression. |
| series_fit_line_dynamic | Closed-form ordinary-least-squares fit of a numeric series, returned as a property bag shaped like Microsoft Kusto's output: { slope, interception, rsquare, variance, rvariance, line_fit: [...] } |
| series_fit_poly | Applies polynomial regression to a series, fitting a curve of the specified degree. |
| series_floor | Rounds each element down to the nearest integer. |
| series_greater | Element-wise greater-than comparison of two series. |
| series_greater_equals | Element-wise greater-than-or-equal comparison of two series. |
| series_ifft | Compute the Inverse Fast Fourier Transform. |
| series_iir | Applies an Infinite Impulse Response (IIR) filter to a series. |
| series_less | Element-wise less-than comparison of two series. |
| series_less_equals | Element-wise less-than-or-equal comparison of two series. |
| series_log | Calculates the natural logarithm of each element. |
| series_magnitude | Euclidean L2 norm of a numeric series - sqrt of the sum of squares. |
| series_max | Returns the maximum value in a numeric series, ignoring null values. |
| series_min | Returns the minimum value in a numeric series, ignoring null values. |
| series_multiply | Element-wise multiplication of two numeric series. |
| series_not_equals | Element-wise inequality comparison of two series. |
| series_outliers | Detects outliers in a series using the Tukey fence method. |
| series_pearson_correlation | Calculate the Pearson correlation coefficient between two series. |
| series_periods_detect | Detects periodic patterns in a time series using FFT-based spectral analysis. |
| series_periods_validate | Validates expected periods in a time series using FFT spectral analysis. |
| series_pow | Element-wise power operation (base^exponent) of two numeric series. |
| series_product | Product of all elements in the series (real). |
| series_seasonal | Calculates the seasonal component of a series using median of values at same phase. |
| series_sign | Returns the sign of each element (-1 for negative, 0 for zero, 1 for positive). |
| series_sin | Apply sin element-wise to a numeric dynamic series. |
| series_stats | Computes statistics (min, max, avg, stdev, variance) for a numeric series. |
| series_stats_dynamic | Computes statistics for a numeric series and returns as a property bag. |
| series_stdev | Returns the population standard deviation of all elements in a numeric series, ignoring null values. |
| series_subtract | Element-wise subtraction of two numeric series. |
| series_sum | Returns the sum of all elements in a numeric series, ignoring null values. |
| series_tan | Apply tan element-wise to a numeric dynamic series. |
Conditional Functions
| Function | Description |
|---|---|
| case | Evaluates predicates in order and returns the first matching value. |
| coalesce | Returns the first non-empty value (not null and not empty string). |
| iff | Evaluates the predicate and returns value_if_true or value_if_false. |
Logging Functions
| Function | Description |
|---|---|
| extract_log_template | Normalizes a string into a structural template by replacing variable tokens (numbers, UUIDs, IPs, hex values, quoted strings) with typed placeholders. |
| log_template_hash | Computes a hash of the structural log template, for grouping similar logs without allocating the template string. |
| log_template_regex | Generates a regex pattern that matches log lines with the same structural template. |
Other Functions
| Function | Description |
|---|---|
| current_table | Returns the table name for the current row. |
| dcount_hll | Calculate the distinct count from an HLL representation. |
| otel_histogram_percentile | Extract a percentile from a merged OpenTelemetry histogram (output of otel_histogram_merge). |
| percentile_array_tdigest | Extract a dynamic array of percentiles from a sketch aggregate produced by tdigest(). |
| percentile_tdigest | Calculate the percentile from a t-digest representation. |
| percentrank_tdigest | Return the approximate percentile rank of value in a t-digest / DDSketch sketch produced by the tdigest() aggregate. |
| rank_tdigest | Return the approximate count of items ≤ value in a t-digest / DDSketch sketch produced by the tdigest() aggregate. |
| row_number | Returns the current row number in the serialized row set. |