Mach5 KQL Support
Mach5 has its own Mach5 Query Language (MQL) that is a pipe-based query language based on Kusto Query Language (KQL) or Splunk Query Language (SQL). This document specifies in detail which KQL datatypes, operators, functions, etc Mach5 supports as of today. Support for other datatypes, operators, functions is in the pipeline. This is a work in progress document and will be updated as when new support is added. Detailed documentation for KQL can be found here
Datatypes
Mach5 supports currently following datatypes:
- bool
- datetime
- int
- long
- real
- string
- Null values
- IP Addresses
- CIDR
Tabular operators
Mach5 currently supports the following operators:
- as
- count
- extend
- sort
- project
- join (inner)
- summarize
- take
- union
- where
- render (visualisations supported for)
- piechart
- columnchart
- areachart
Scalar operators
Mach5 currently supports following scalar operators:
String operators
- contains
- !contains
- endswith
- !endswith
- == (Equals)
- != (Not equals)
- matches regex
- startswith
- !startswith
- isnull
- isnotnull
- contains_cs
- !contains_cs
- endswith_cs
- !endswith_cs
- startswith_cs
- !startswith_cs
Numerical operators
- < (Less)
- > (Greater)
- <= (Less or Equal)
- >= (Greater or Equal)
Aggregation functions
Mach5 currently supports following aggregation functions:
Statistical functions
- avg()
- count()
- max()
- min()
- sum()
Row Selector functions
- take_any()
Scalar functions
Conditional functions
- iff()
Dynamic/array functions
- array_length()
Row Selector functions
- take_any()
String functions
- isempty()
- isnotempty()
- strcat()