VQL provides a basic set of functions and plugins allowing queries to manipulate data and implement logic. This page details those plugins which are considered foundational to the VQL language and therefore may be useful in all types of artifacts.
VQL plugins are not the same as VQL functions. A plugin is the subject
of the VQL query - i.e. plugins always follow the FROM keyword,
while functions (which return a single value instead of a sequence of
rows) are only present in column specification (e.g. after SELECT)
or in condition clauses (i.e. after the WHERE keyword).
| Plugin/Function | Type | Description |
|---|---|---|
| array | Function | Create an array |
| atexit | Function | Install a query to run when the query is unwound |
| atoi | Function | Convert a string to an integer |
| base64decode | Function | Decodes a base64 encoded string |
| base64encode | Function | Encodes a string into base64 |
| basename | Function | Return the basename of the path |
| batch | Plugin | Batches query rows into multiple arrays |
| cache | Function | Creates a cache object |
| column_filter | Plugin | Select columns from another query using regex |
| copy | Function | Copy a file |
| count | Function | Counts the items |
| dict | Function | Construct a dict from arbitrary keyword args |
| dirname | Function | Return the directory path |
| encode | Function | Encodes a string as as different type |
| enumerate | Function | Collect all the items in each group by bin |
| environ | Function | Get an environment variable |
| expand | Function | Expand the path using the environment |
| filter | Function | Filters an array by regex or condition |
| format | Function | Format one or more items according to a format string |
| generate | Function | Create a named generator that receives rows from the query |
| get | Function | Gets the member field from item |
| getpid | Function | Returns the current pid of the Velociraptor process |
| humanize | Function | Format items in human readable way |
| if | Function | Conditional execution of query |
| items | Function | Iterate over dict members producing _key and _value columns |
| items | Plugin | Enumerate all members of the item (similar to Python’s items() method) |
| join | Function | Join all the args on a separator |
| killkillkill | Function | Kills the client and forces a restart - this is very aggressive! |
| len | Function | Returns the length of an object |
| log | Function | Log the message and return TRUE |
| lowcase | Function | Returns the lowercase version of a string |
| max | Function | Finds the largest item in the aggregate |
| memoize | Function | Memoize a query into memory |
| min | Function | Finds the smallest item in the aggregate |
| now | Function | Returns current time in seconds since epoch |
| path_join | Function | Build a path by joining all components |
| path_split | Function | Split a path into components |
| query | Function | Launch a subquery and materialize it into a list of rows |
| rand | Function | Selects a random number |
| range | Plugin | Iterate over range |
| read_file | Function | Read a file into a string |
| regex_transform | Function | Search and replace a string with multiple regex |
| relpath | Function | Return the relative path of |
| scope | Function | return the scope |
| serialize | Function | Encode an object as a string (csv or json) |
| set | Function | Sets the member field of the item |
| sleep | Function | Sleep for the specified number of seconds |
| slice | Function | Slice an array |
| split | Function | Splits a string into an array based on a regexp separator |
| str | Function | Returns the string representation of provided data |
| strip | Function | Strip prefix and/or suffix from a string |
| substr | Function | Create a substring from a string |
| sum | Function | Sums the items |
| tempdir | Function | Create a temporary directory |
| timestamp | Function | Convert from different types to a time |
| to_dict | Function | Construct a dict from a query |
| unhex | Function | Apply hex decoding to the string |
| unzip | Plugin | Unzips a file into a directory |
| upcase | Function | Returns an uppercase version of the string |
| upload_sftp | Function | Upload files to SFTP |
| upload_webdav | Function | Upload files to a WebDAV server |
| url | Function | Construct a URL or parse one |
| utf16 | Function | Parse input from utf16 |
| utf16_encode | Function | Encode a string to utf16 bytes |
| uuid | Function | Generate a UUID |
| version | Function | Gets the version of a VQL plugin or function |