Custom AQL function fields

Multiple fields are available to custom AQL functions.

namespace and name

  • Required: Yes
  • Default:
  • Case-sensitive: No
  • Whitespace- sensitive: Yes

The following table describes the namespace and name fields for custom AQL functions.

Table 1. Namespace and name fields
Field Description
namespace The first component that makes up the identifier of a custom AQL function.
name The second component that makes up the identifier of a custom AQL function.

Both values are case-insensitive and must be unique from all other custom functions. The Ariel database uses a concatenation of these fields to expose the custom function through AQL. For example:

  • namespace: :MyNamespace
  • name::MyFunction
  • AQL: MyNamespace: MyFunction

When you specify your custom function through AQL, you must employ double quotation marks when white space or special characters are used.

return_type

You use the return_type field to declare the script type that your custom function returns.

  • Required: Yes
  • Default:
  • Case-sensitive: No
  • Whitespace- sensitive: No
  • Example: String

The return value is automatically converted to the internal Java type that is interpreted by Ariel (QRadar®_type).

The following table describes acceptable script types for the return_type field.

Table 2. return_type field acceptable script types
Type Script type QRadar type
STRING String java.lang.String
NUMBER Number java.lang.Number
LONG Number java.lang.Long
HOST String com.q1labs.core.dao.util.Host
PORT Number com.q1labs.frameworks.nio.Port
BOOLEAN Boolean java.lang.Boolean

parameter_types

You use the parameter_types field to declare the type of each parameter that your custom function accepts.

  • Required: Yes
  • Default:
  • Case-sensitive: No
  • Whitespace- sensitive: No
  • Example: String, Number, Boolean

The incoming Java object is automatically converted to your declared script type.

The following table describes acceptable script types for the parameter_types field.

Table 3. parameter_type field acceptable script types
Type Script type QRadar type
STRING String java.lang.String
NUMBER Number java.lang.Number
LONG Number java.lang.Long
HOST String com.q1labs.core.dao.util.Host
PORT Number com.q1labs.frameworks.nio.Port
BOOLEAN Boolean java.lang.Boolean

Generally, when you pass parameters from AQL, most values are interoperable. If you find they are not, you can use AQL casting functions such as LONG and PORT.

Note: You can use an empty string if you accept no parameters.

varargs

If "true", variable arguments are used with your parameter_types value. You can specify the last type in your parameter_types string zero or more times.

If your parameter_types value is empty, this value has no meaning.

  • Required: No
  • Default: false
  • Case-sensitive: Yes
  • Whitespace- sensitive: Yes
  • Example: true

The way that you handle variable arguments depends on the script engine that you use. For JavaScript, you can use the built-in arguments variable:

function myFunction() {
   for(var i=0; i<arguments.length; i++)
   {
       //Do something with arguments[i]
   }
}

execute_function_name

The value of this field maps to the execution function in your custom function script. The Java programming language uses the parameters in your AQL string to call this function. It then uses the value that is returned in the calculations.

The execution function is called concurrently. It must be thread-safe.

  • Required: Yes
  • Default:
  • Case-sensitive: Yes
  • Whitespace- sensitive: Yes
  • Example: calculate

init_function_name

The value of this optional field maps to the initialization function in your custom function script. The Java programming language must call this function only once for a search. Place your expensive initialization code in this function so that your execution function is faster. Because this function is called once, it does not need to be thread-safe.

  • Required: No
  • Default:
  • Case-sensitive: Yes
  • Whitespace- sensitive: Yes
  • Example: onInit

finish_function_name

The value of this optional field maps to the finish function in your custom function script. The Java programming language calls this function only once for a search. However, there might be some situations in which it is never called. Close any resources that you hold onto within your script to prevent resource leaks. Because this function is called only once, it does not need to be thread-safe.

  • Required: No
  • Default:
  • Case-sensitive: Yes
  • Whitespace- sensitive: Yes
  • Example: onFinish

script_engine

The value of this field indicates the script engine that is used to interpret and invoke your script. The only supported script engine is JavaScript.

  • Required: Yes
  • Default:
  • Case-sensitive: No
  • Whitespace- sensitive: No
  • Example: javascript

script

The value of this field is the code for your custom function. It is interpreted based on the script_engine that you specified.

You can place any code in here that you like, including other functions. However, the execute_function_name must exist and must be a valid function.

  • Required: Yes
  • Default:
  • Case-sensitive: Yes
  • Whitespace- sensitive: Yes
  • Example: function addOne(value) {return value + 1;}

username

The value of this field currently has no implementation. It makes reference to your IBM® QRadar user name.

  • Required: Yes
  • Default:
  • Case-sensitive: Yes
  • Whitespace- sensitive: Yes
  • Example: administrator