Understanding types
Goal
By the end of this guide you should be able to identify the data types used in DataPrime and understand how to work with them effectively in queries, including type conversions and casting.
Why it matters
Every field in your logs, traces, or enriched data in DataPrime has a type. Whether it's a number, a timestamp, or a string of text, understanding types is critical for writing accurate queries, performing aggregations, and avoiding unexpected null results. If your logic doesn’t match the type, your query might look right—but silently fail.
Supported types in DataPrime
Here’s a breakdown of the main types you’ll encounter and use:
| Type | Description | JSON Representation |
|---|---|---|
| string | UTF-8 encoded character sequences | "hello world" |
| number | Integer or float. Max is 2^53 | 123, 45.67 |
| bool | Boolean value (true/false) | true |
| timestamp | Nanosecond-precision point in time | 1609459200000000000 |
| interval | Time duration (3h30m, 5s) | "3h30m" (or number in nanoseconds) |
| regexp | Regular expression used in filtering and matching | "/[a-z]+/" |
| null | 1. Absence of a value 2. Non-computable expression 3. null value of the JSON field | null |
| array | Collection of primitive values of a single type | ["a", "b", "c"] |
Note
Intervals can be string or numeric (in nanoseconds), depending on context.
What happens if types mismatch?
Types will raise an error prior to execution if there is a mismatch.
For example this query will show the error message below:
When values are cast in an incompatible way, many functions and operations return null silently.
Type-specific usage rules
- Strings: Use for free-text searches and
~,contains(), etc. - Numbers: Required for mathematical operations and aggregations like
avg,sum. - Timestamps: Combine with interval types for time math (e.g.,
now() - timestamp > 5m) - Intervals: Use with time functions like
diffTime,addTime. - Arrays: Ensure consistent item types. Use functions like
arrayContains,arrayLength. - Booleans: Filter conditions and flags.
- Null: Any null used in a boolean condition is treated as
false.
Null semantics
In DataPrime, null represents an undefined or missing value. It behaves similarly to SQL NULL, but with some important differences. A query will evaluate to null in the following cases:
Field does not exist (i.e. the log has no
foofield at all)Field exists but is explicitly
null(i.e.{foo: null})Expression cannot be computed This includes cases where a value cannot be converted or an operation fails. Examples:
'foo':bool→nullcreate x from 'foo' | choose parseInterval(x) as value→value: nullextract '{"value":"foo"}' into target using jsonobject() | choose target.value + 1→null
Aggregations:
Nulls are preserved in aggregation results unless the function ignores them.
aggregate collect(foo)includes nulls in the output array unless specified with theignoreNullsflag. See documentation.aggreagte any_value(foo)returns a non-null value if one exists.
Joins:
Rows with null in the join key do not match.
Equality:
- A non-existent key value is equal to null. If
foodoes not exist as a key in your logs then:
- Two non-existent key values are equal to each other. If
fooandbarare non-existent keys then:
- Two objects are equal if and only if all fields match exactly, including nulls.
- Arrays must match element by element, including nulls.
Gotchas to watch for
- Type mismatches often fail silently (especially in filters).
- Some fields may appear numeric but are strings (e.g.,
status: "200"). - Intervals passed as strings must follow strict formatting (
1d2h3sis valid,3s1dis not). - Comparing a field to
nullistrueif and only if the field is missing or explicitlynull. - Joins skip rows where the join key is
null. - Objects cannot be converted into strings. The only exception to this is
$d:stringwhich is done to support full-text manipulation using DataPrime functions.