Use the isbool function to check whether an expression evaluates to a boolean value. This is helpful when you need to validate data types, filter boolean values, or handle type checking in conditional logic.
You typically use isbool when working with dynamic or mixed-type data where you need to verify that a value is actually a boolean before performing boolean operations or conversions.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk, you can use isbool() function or check if a field contains boolean values. In APL, isbool provides a direct way to check if an expression is a boolean type.
... | extend is_boolean = isbool(field)In standard SQL, you use CASE statements with type checking or IS NULL checks, but there's no direct boolean type checker. In APL, isbool provides a straightforward way to check if a value is a boolean.
['sample-http-logs']
| extend is_boolean = isbool(field)Usage
Syntax
isbool(expression)Parameters
| Name | Type | Description |
|---|---|---|
| expression | dynamic | The expression to check for boolean type. |
Returns
Returns true if the expression value is a boolean, false otherwise.
Use case examples
Validate that a field contains boolean values before using it in boolean operations or filters.
Query
['sample-http-logs']
| extend is_cached = case(
['status'] == '200', true,
['status'] == '304', true,
1 == 1, false
)
| where isbool(is_cached)
| extend cache_hit = is_cached == true
| project _time, ['uri'], ['status'], is_cached, cache_hitOutput
| _time | uri | status | is_cached | cache_hit |
|---|---|---|---|---|
| Jun 24, 09:28:10 | /api/users | 200 | true | true |
This example creates a boolean field and validates it using isbool before using it in further boolean operations, ensuring type safety in your queries.
Check if trace attributes contain boolean values before performing boolean logic on them.
Query
['otel-demo-traces']
| extend is_error = ['status_code'] >= '400'
| where isbool(is_error)
| extend error_occurred = is_error == true
| project _time, ['trace_id'], ['service.name'], is_error, error_occurredOutput
| _time | trace_id | service.name | is_error | error_occurred |
|---|---|---|---|---|
| Jun 24, 09:28:10 | abc123 | frontend | false | false |
This example validates that a computed boolean value is actually a boolean type before using it in conditional logic, preventing type-related errors.
Validate boolean flags in security events to ensure they contain proper boolean values before filtering or alerting.
Query
['sample-http-logs']
| extend is_suspicious = ['status'] == '403' or ['status'] == '401'
| extend is_high_risk = ['req_duration_ms'] > 5000
| where isbool(is_suspicious) and isbool(is_high_risk)
| extend security_alert = is_suspicious == true and is_high_risk == true
| project _time, ['uri'], ['status'], is_suspicious, is_high_risk, security_alertOutput
| _time | uri | status | is_suspicious | is_high_risk | security_alert |
|---|---|---|---|---|---|
| Jun 24, 09:28:10 | /admin | 403 | true | false | false |
This example validates multiple boolean flags before combining them in security logic, ensuring that only properly typed boolean values are used in alert conditions.
List of related functions
- tobool: Converts a value to boolean. Use
toboolto convert values to boolean, andisboolto check if a value is already a boolean. - gettype: Returns the type of a value as a string. Use
gettypewhen you need to check for multiple types, andisboolwhen you only need to check for boolean. - isnull: Checks if a value is null. Use
isnullto check for null values, andisboolto check for boolean type.