This section contains the reference information for database functions. Database functions are used within the select and sort (for value functions) statements in advanced reports, and take either database fields or other database functions as arguments. They allow the values from database fields to be modified before they are added to the result of running a query.
Database functions are divided into three types: key functions, which return a database key, value functions, which return a database value, and time functions, which operate on time. Each function can be used wherever the corresponding field can be used. They can each be used in a database select, to add a column to the resulting table. Value functions only can also be used in a sort statement, to sort the resulting table on that column.
countryCode takes a single argument
which must be an IPv4 address. The
address can either be an address field (eg
sourceAddress), or a literal address
(eg "64.151.76.40"). It returns the ISO 3166 country
code of the country in which the address is located,
if known. If the country is not known, or the parameter
is not an IPv4 address, then the empty string
is returned.
countryName takes a single argument
which must be an IPv4 address. The
address can either be an address field (eg
sourceAddress), or a literal address
(eg "64.151.76.40"). It returns the name of the country
in which the address is located, if known. If the
country is not known, or the parameter is not an IPv4
address, then the empty string is returned.
hostname takes a single argument
which can be a UUID or a
MAC address. The
argument can either be a key field (eg
macSource or uuid), or a literal address or UUID
(eg "00248C70AB58" or
"6ba7b811-9dad-11d1-80b4-00c04fd430c8"). It returns
the hostname associated with the UUID or MAC address,
if know through host sFlow. If the address is not a
UUID or MAC address, or the hostname cannot be
determined, then the empty string is returned.
ifAlias takes a single argument which
must be an interface field (note that
ifAlias does not take an
ifIndex parameter). It returns the
ifAlias of the interface, if known. If the ifAlias is not
known, or the parameter is not an interface, then the
empty string is returned.
ifName takes a single argument which
must be an interface field (note
that ifName does not take an
ifIndex parameter). It returns
the ifName of the interface, if known. If the ifName is
not known, or the parameter is not an interface, then
the empty string is returned.
locate takes a single argument
which must be an address. The
address can either be an address field (eg
sourceAddress), or a literal address
(eg "64.151.76.40"). It returns the
interface where the address is
most likely to be located in the monitored network, if
it can be determined. If the location cannot be
determined, then the empty string is returned. Note
that the address of an external system would most
likely be located on a router interface. The location
of an address can only be determined if network
traffic from that address has been observed.
locateSwitch takes a single argument
which must be an address. The
address can either be an address field (eg
sourceAddress), or a literal address
(eg "64.151.76.40"). It works in the same way as
Section 16.4.1.6, “locate”,
but returns only the switch where the address is most
likely to be located, rather than the complete
interface. If the location cannot be
determined, then the empty string is returned.
mac takes a single argument
which must be an address. The
address can either be an address field (eg
sourceAddress), or a literal address
(eg "64.151.76.40"). It returns the most likely MAC
address associated with the address if can be
determined. If the address is already a MAC address,
then it will be returned. If the MAC cannot be
determined, then the empty string is returned.
The MAC address associated with a layer 3 address can
only be determined if network traffic from that
address has been observed.
parent takes a single argument
which can be a hostname, a
MAC address or a
UUID. The
argument can either be a key field (eg
hostname, macSource, or uuid), or a literal hostname,
address or UUID (eg "google.com", "00248C70AB58" or
"6ba7b811-9dad-11d1-80b4-00c04fd430c8"). It returns
the hostname, MAC address or UUID (respectively)
associated with the parent of the host identified by
the hostname, MAC address or UUID specified.
parent is used to find system
containment. For example, the parent of a virtual host
is the physical host that is running the virtual one.
To select the hostname of parent, of the host with
hostname server.inmon.com
in a host counters query, use this field in the select
statement:
parent("server.inmon.com")
To select the UUID of the parent, of the host with UUID
6ba7b811-9dad-11d1-80b4-00c04fd430c8
in a host counters query, use this field in the select
statement:
parent("6ba7b811-9dad-11d1-80b4-00c04fd430c8")
resolve takes a single argument
which must be an address or
port field. It returns
the resolved name of the address or port, if known. If
the resolved name is not known, or the parameter is
not an address or port, then the empty string is
returned. Note that resolve only works with the
highest layer port fields
(eg sourcePort), not with the
numeric ports (such as
tcpSourcePort).
subnet takes a single argument which
must be an IP address field. It returns the name of the
smallest defined subnet that the address belongs to.
If the address does not belong to a subnet, then the
name of the external subnet is returned. If the
parameter is not an IP address, then the empty string
is returned. For this function to be useful, subnets
must have first been defined in sFlowTrend-Pro; see
Section 13.3, “Configuring subnets in sFlowTrend-Pro 
” for more
information.
uuid takes a single argument
which can be a hostname or a
MAC address. The
argument can either be a key field (eg
macSource or hostname), or a literal address or
hostname (eg "00248C70AB58" or
"google.com"). It returns
the UUID associated with the MAC address or hostname,
if know through host sFlow. If the hostname or
address is not valid, or the UUID cannot be
determined, then the empty string is returned.
vendor takes a single argument
which must be a MAC address. The
address can either be an address field (eg
sourceAddress), or a literal address
(eg "00248C70AB58"). It returns the vendor associated
with the address. If the address is not a MAC address
or the vendor cannot be determined, then the empty
string is returned.
wifiCipherSuiteFormatted takes a
single argument, which must be the cipher suite field
(wifiCipher). It returns the
formatted hex string (OUI-OUI-OUI-Suite) of the cipher
suite represented by that field. If the
field is not a cipher suite, or no cipher suite is
available, then the empty string is returned.
wifiCipherSuiteName takes a single
argument, which must be the cipher suite field
(wifiCipher). It returns the name
of the cipher suite represented by that field. If the
field is not a cipher suite, or no cipher suite is
available, then the empty string is returned.
wifiVersionName takes a single
argument, which must be a wifi version field, and
returns the common name of the version (eg
802.11b, 802.11g,
etc). If the field is not a wifi version field, or no
version is available, then the empty string is returned.
count is an unusual function, which
takes any number of key fields
as arguments, and returns a value
field. It counts the
number of unique combinations of all the key fields
observed. This is useful if you are trying to
understand for example, how many different connections
a host made, rather than the specifics of each
connection.
max returns the larger of the values
of two value fields. Either or both of the fields can
also be other value functions, in addition to constant
fields, to allow more complex expressions to be
created. max is most useful when
both the arguments are of similar type - eg frames,
or bytes, etc.
To select the larger of ingress frames and egress
frames, use this field in the select statement:
max(framesIn, framesOut)
To select the larger of the ingress frames per second
and egress frames per second, you would use a
combination of the max function and
the rate function (see
Section 16.4.2.4, “rate”):
max(rate(framesIn), rate(framesOut))
min returns the smaller of the values
of two value fields. Either or both of the fields can
also be other value functions, in addition to constant
fields, to allow more complex expressions to be
created. min is most useful when
both the arguments are of similar type - eg frames,
or bytes, etc.
rate takes a single value field as
a parameter, and converts it to a value per second (ie
a rate). For example, it would convert a frames field
into frames per second.
scale takes a single value field as
a parameter, and scales it by a constant factor, given
as the second argument. The factor can be a real
number. This is very useful to convert a bytes field
into bits - use a scale factor of 8.
format takes up to three arguments:
the first must be the time field
(time).
The second, optionally, is a Java time and date format
string that will be used to format time which is in
today. The third argument is a format string that will
be used to format time that is not in today. If the
second argument is missing, the same format string will
be used to format all time, regardless of whether it
is in today or not. If both the second and third
arguments are missing, then default formats are used,
which formats time in today with a short time
(no date), and formats time in other days in with a
short time and date.
For documentation on how to construct a format string, please see the Java data format documentation
To select time formatted with the default formatter,
use this field in the select statement:
format(time)
To select time formatted as 24 hour time, without the
date, for today, and including a short date for other
days, use this field in the select statement:
format(time, "HH:mm", "dd/MM/yy HH:mm")
timestamp takes a single argument
which must be the time field (time),
and returns the timestamp corresponding to the time.
The timestamp is the number of milliseconds since
January 1st, 1970.