accum

The `accum` operator calculates the cumulative sum of a field. It can be used to find a count by a specific time interval and a total running count across all intervals.

as

The `as` operator, typically used in conjunction with other operators, can also be used standalone to rename fields or to create new constant fields.

ASN lookup

Use this to look up an Autonomous System Number (ASN) and organization name by IP address.

backshift

The `backshift` operator helps you compare values as they change over time.

base64Decode

The `base64Decode` operator takes a base64 string and converts it to an ASCII string.

base64Encode

The `base64Encode` operator takes an ASCII string and converts it to a base64 string.

bin

The `bin` operator assigns output results to user defined bins.

cat

You can use the `cat` operator to view the contents of a lookup table. Not supported in auto refresh dashboards or scheduled searches.

CIDR

Sumo Logic's three CIDR operators work with Classless Inter-Domain Routing, notation to narrow the analysis of IPv4 networks to specific subnets.

compare

The `compare` operator can be used with the [Time Compare button](/docs/search/time-compare) in the Sumo UI, which generates correct syntax and adds it to your aggregate query.

concat

The `concat` operator allows you to concatenate or join multiple strings, numbers, and fields into a single user-defined field.

contains

The `contains` operator compares string values of two parsed fields and returns a boolean result based on whether the second field's value exists in the first.

decToHex

The `decToHex` operator converts a long value of 16 or fewer digits to a hexadecimal string using Two's Complement for negative values.

dedup

The `dedup` operator removes duplicate results. You have the option to remove consecutively and by specific fields.

diff

The `diff` operator calculates the rate of change in a field between consecutive rows.

fields

The `fields` operator allows you to specify which fields to display and their order in the results of a query.

fillmissing

The `fillmissing` operator allows you to specify groups that should be represented in data output.

filter

Use the `filter` operator to filter the output of a search based on the filtering criteria of a child query.

format

The `format` operator allows you to format and combine data from parsed fields.

formatDate

The `formatDate` operator formats dates in log files as a string in a different format, such as U.S. or European date formatting.

Geo Lookup (Map)

With the Geo Lookup (Map) operator, Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map.

geoip

With the `geoip` operator, Sumo Logic can match a parsed IPv4 or IPv6 address to its geographical location on a map chart.

hash

The `hash` operator uses a cryptographic hash algorithm to obscure data into a random string value.

haversine

The `haversine` operator returns the distance between latitude and longitude values of two coordinates in kilometers.

hexToAscii

The `hexToAscii` operator converts a hexadecimal string to an ASCII string.

hexToDec

The `hexToDec` operator converts a hexadecimal string of 16 or fewer characters to a long data type using Two's Complement for negative values.

if, ?

The `if` and `?` expressions are used to evaluate a condition as either true or false, with values assigned for each outcome.

in

The `in` operator returns a Boolean value: true if the specified property is in the specified object, or false if it is not.

ipv4ToNumber

The `ipv4ToNumber` operator converts an Internet Protocol version 4 (IPv4) IP address from the octet dot-decimal format to a decimal format.

isNull, isEmpty, isBlank

The `isNull` operator checks a string and returns a boolean value, `isEmpty` if a string contains no characters, and `isBlank` if a string contains no characters, is only whitespace, and is null.

isNumeric

The `isNumeric` operator checks whether a string is a valid Java number.

isPrivateIP

The `isPrivateIP` operator checks if an IPv4 address is private and returns a boolean.

isPublicIP

The `isPublicIP` operator checks if an IPv4 address is public and returns a boolean.

isReservedIP

The `isReservedIP` operator checks if an IPv4 address is reserved as defined by RFC 5735 and returns a boolean.

isValidIP, isValidIPv4, isValidIPv6

The `isValidIP` operator checks if the value is a valid IP address. The `isValidIPv4` and `isValidIPv6` operators check if the value is a valid IPv4 or IPv6 address, respectively.

join

The `join` operator combines records of two or more data streams.

jsonArrayContains

Use the `jsonArrayContains` operator to determine whether a JSON array contains a particular item.

jsonArraySize

Use the `jsonArraySize` operator to determine the size of a JSON array.

length

The `length` operator returns the number of characters in a string.

limit

The `limit` operator reduces the number of raw messages or aggregate results returned.

lookup

The `lookup` operator returns one or more fields from a lookup table hosted by Sumo Logic and add the fields to the log messages returned by your query.

lookup (Classic)

The `lookup` (Classic) operator maps data in your log messages to meaningful information saved in Sumo or on an HTTPS server.

lookupContains

Use the `lookupContains` operator to determine whether a key exists in a lookup table. It will return a boolean value.

luhn

Uses Luhn’s algorithm to check message logs for strings of numbers that may be credit card numbers and then validates them.

Manually cast data to string or number

Most data in Sumo Logic is stored as a string data type. Metadata fields are stored as string data and parsed fields are by default parsed as string type data.

matches

The `matches` operator can be used to match a string to a wildcard pattern or an RE2 compliant regex.

now

The `now` operator returns the current epoch time in milliseconds.

num

The `num` operator converts a field to a double value, which is twice as accurate as a float value.

outlier

The `outlier` operator identifies values in a sequence that seem unexpected and would trigger an alert/violation.

predict

The `predict` operator ses a series of time-stamped numerical values to predict future values.

queryEndTime()

The `queryEndTime()` operator returns the end time of the search time range in milliseconds.

queryStartTime()

The `queryStartTime()` operator returns the start time of the search time range in milliseconds.

queryTimeRange()

The `queryTimeRange()` operator returns the time duration for the query being executed in milliseconds.

replace

The `replace` operator allows you to replace all instances of a specified string with another string.

rollingstd

The `rollingstd` operator finds the rolling standard deviation of a field, allowing you to identify changes over time.

save

The `save` operator allows you to save the results of a query to a lookup table you've already created.

save (Classic)

The `save` (classic) operator works with the classic Lookup Tables feature.

sessionize

The `sessionize` operator uses an extracted value from one log message to find correlating values in log messages from other systems.

smooth

The `smooth` operator calculates the rolling (or moving) average of a field, measuring the average of a value to "smooth" random variation.

sort

The `sort` operator orders aggregated search results.

substring()

The `substring` operator allows you to specify an offset that will output only part of a string, referred to as a substring.

threatip

Correlates threat intelligence data based on IP addresses from your log data, helping you detect threats in your environment.

timeslice()

The `timeslice` operator aggregates data by time period, so you can create bucketed results based on a fixed interval.

Timeslice Join Results

When you gather data using a join operator, you can slice data by time period using the `timeslice` operator.

toLowerCase, toUpperCase

The `toLowerCase` operator takes a string and converts it to all lower case letters.

top

Use the `top` operator with the sort operator to reduce the number of sorted results returned.

topk

The `topk` operator allows you to select the top values from fields and group them by fields.

total

The `total` operator inserts the sum of a set of fields into every row of the set.

tourl

The `tourl` operator provides you the ability to assign a short name that describes the URL.

trace

The `trace` operator acts as a highly sophisticated filter to connect the dots across different log messages.

transpose

Similar to a Pivot Table in Excel, the `transpose` operator allows you to take a list and turn it into a table in the Aggregates tab.

trim()

The `trim` operator eliminates leading and trailing spaces from a string field.

urldecode

The `urldecode` operator decodes a URL you include in a query, returning the decoded (unescaped) URL string.

urlencode

The `urlencode` operator encodes the URL into an ASCII character set.

where()

The `where` operator allows you to filter results based on a boolean expression.