The gettype function returns the runtime type of its argument as a string. Use this function when you need to determine the data type of fields, validate data structures, or debug type-related issues in your queries.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use typeof to check types. APL's gettype provides similar functionality with consistent type names.
['sample-http-logs']
| extend field_type = gettype(field_name)In ANSI SQL, type checking varies by database. APL's gettype provides a standardized approach to runtime type detection.
['sample-http-logs']
| extend field_type = gettype(field_name)Usage
Syntax
gettype(expression)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| expression | any | Yes | The expression whose type you want to determine. |
Returns
Returns a string representing the runtime type: string, int, long, real, bool, datetime, timespan, dynamic, array, dictionary, or null.
Use case examples
Identify the data types of fields to ensure proper query operations and data validation.
Query
['sample-http-logs']
| extend status_type = gettype(status),
duration_type = gettype(req_duration_ms),
time_type = gettype(_time)
| project status, status_type, req_duration_ms, duration_type, _time, time_type
| limit 10Output
| status | status_type | req_duration_ms | duration_type | _time | time_type |
|---|---|---|---|---|---|
| 200 | string | 145 | long | 2024-11-06T10:00:00Z | datetime |
| 404 | string | 89 | long | 2024-11-06T10:01:00Z | datetime |
| 500 | string | 234 | long | 2024-11-06T10:02:00Z | datetime |
This query identifies the data types of key fields in HTTP logs, helping ensure that data is in the expected format for analysis and troubleshooting type-related query issues.
Validate trace field types to ensure proper data ingestion and processing.
Query
['otel-demo-traces']
| extend service_type = gettype(['service.name']),
duration_type = gettype(duration),
kind_type = gettype(kind)
| summarize type_counts = count() by service_type, duration_type, kind_typeOutput
| service_type | duration_type | kind_type | type_counts |
|---|---|---|---|
| string | timespan | string | 8765 |
This query validates the types of trace fields, helping identify data quality issues where fields might have unexpected types due to ingestion problems.
Detect type inconsistencies in security logs that might indicate data manipulation or logging errors.
Query
['sample-http-logs']
| extend id_type = gettype(id),
status_type = gettype(status),
uri_type = gettype(uri)
| summarize failed_attempts = count() by id_type, status_type, uri_type
| sort by failed_attempts descOutput
| id_type | status_type | uri_type | failed_attempts |
|---|---|---|---|
| string | string | string | 2341 |
This query validates field types in failed authentication logs, helping detect anomalies where expected string fields might have different types due to injection attempts or data corruption.
List of related functions
- isnull: Checks if a value is null. Use this to specifically test for null values rather than getting the type.
- isnotnull: Checks if a value is not null. Use this in filters when you need to exclude null values.
- parse_json: Parses JSON strings into dynamic types. Use this before gettype when working with JSON data.