Overview
Tracecat expressions can call built-in functions with theFN.<name>(...) syntax.
Function results support bracket indexing such as FN.range(0, 3)[0].
Function results do not support JSONPath wildcards or filters such as FN.range(0, 3)[*].
Use in-line functions for one-line data transforms in action inputs.
For more complex logic, use a Python script or a custom UDF instead.
Examples
Build a prompt or short string:tracecat/expressions/functions.py.
Function reference
FN.add(a: float | int, b: float | int) -> float | intAdd two numbers together.FN.and(a: bool, b: bool) -> boolLogical AND operation.FN.at(sequence: Sequence[Any], index: int) -> AnyReturn the element at the given index.FN.capitalize(x: str) -> strCapitalize a string.FN.check_ip_version(ip: str) -> intGet IP address version (4 or 6).FN.compact(x: list[Any]) -> list[Any]Drop null values from a list. Similar to compact function in Terraform.FN.concat(*items: str) -> strConcatenate multiple strings.FN.contains(item: Any, container: Sequence[Any]) -> boolCheck if item exists in a sequence.Aliases: FN.is_inFN.contains_any_of(a: Sequence[Any], b: Sequence[Any]) -> boolCheck if any of the elements of the first sequence exist in the second sequence.FN.contains_none_of(a: Sequence[Any], b: Sequence[Any]) -> boolCheck if all of of the elements of the first sequence don’t exist in the second sequence.FN.datetime(year: int, month: int, day: int, hour: int = 0, minute: int = 0, second: int = 0) -> datetimeCreate datetime from year, month, day, hour, minute, and second.FN.days(x: int) -> timedeltaCreate timedelta with specified days.FN.days_between(start: datetime | str, end: datetime | str) -> floatDays between two datetimes.FN.deserialize_json(obj, /)Deserialize JSON to Python objects.FN.deserialize_ndjson(x: str) -> list[dict[str, Any]]Parse newline-delimited JSON string into list of objects.FN.deserialize_yaml(x: str) -> AnyDeserialize YAML string to object.FN.difference(a: Sequence[Any], b: Sequence[Any]) -> list[Any]Return a list of elements that are in the first sequence but not in the second.FN.div(a: float | int, b: float | int) -> floatDivide first number by second number.FN.does_not_contain(item: Any, container: Sequence[Any]) -> boolCheck if item does not exist in a sequence.Aliases: FN.is_not_in, FN.not_inFN.drop_nulls(items: list[Any]) -> list[Any]Remove all null or empty string values from a list.FN.endswith(x: str, suffix: str) -> boolCheck if a string ends with a specified suffix.FN.extract_asns(text: str) -> list[str]Extract Autonomous System Numbers, e.g. AS1234, from a string.FN.extract_cves(text: str) -> list[str]Extract CVE IDs, such as CVE-2021-34527, from a string.FN.extract_domains(text: str, include_defanged: bool = False) -> list[str]Extract domain names from a string.FN.extract_emails(text: str, normalize: bool = False) -> list[str]Extract unique emails from a string.FN.extract_ip(text: str, include_defanged: bool = False) -> list[str]Extract unique IPv4 and IPv6 addresses from a string.FN.extract_ipv4(text: str, include_defanged: bool = False) -> list[str]Extract unique IPv4 addresses from a string.FN.extract_ipv6(text: str, include_defanged: bool = False) -> list[str]Extract unique IPv6 addresses from a string. Includes defanged variants as an option.FN.extract_mac(text: str) -> list[str]Extract MAC addresses from a string.FN.extract_md5(text: str) -> list[str]Extract MD5 hashes from a string.FN.extract_sha1(text: str) -> list[str]Extract SHA1 hashes from a string.FN.extract_sha256(text: str) -> list[str]Extract SHA256 hashes from a string.FN.extract_sha512(text: str) -> list[str]Extract SHA512 hashes from a string.FN.extract_urls(text: str, http_only: bool = False, include_defanged: bool = False) -> list[str]Extract URLs from text, optionally including defanged ones.FN.flatten(iterables: Sequence[Sequence[Any]]) -> list[Any]Flatten nested sequences into a single list.FN.flatten_dict(x: str | dict[str, Any] | list[Any], max_depth: int = 100) -> dict[str, Any]Return object with single level of keys (as jsonpath) and values.FN.format(template: str, *values: Any) -> strFormat a string with the given arguments.FN.format_datetime(x: datetime | str, format: str) -> strFormat datetime into specified format (e.g. ‘%Y-%m-%d %H:%M:%S’).FN.from_base64(x: str) -> strDecode base64 string to string.FN.from_base64url(x: str) -> strDecode URL-safe base64 string to string.FN.from_timestamp(x: float | int | str, unit: str = s) -> datetimeConvert timestamp in milliseconds (‘ms’) or seconds (‘s’) to datetime.FN.get_day(x: datetime | str) -> intGet day of month (1-31) from datetime.FN.get_day_of_week(x: datetime | str, format: "Literal[number, full, short]" = number) -> int | strExtract day of week from datetime. Returns 0-6 (Mon-Sun) or day name if format is “full” or “short”.FN.get_hour(x: datetime | str) -> intGet hour (0-23) from datetime.FN.get_interaction() -> dict[str, str] | NoneGet the interaction context from the current action in the workflow execution.FN.get_minute(x: datetime | str) -> intGet minute (0-59) from datetime.FN.get_month(x: datetime | str, format: "Literal[number, full, short]" = number) -> int | strExtract month from datetime. Returns 1-12 or month name if format is “full” or “short”.FN.get_second(x: datetime | str) -> intGet second (0-59) from datetime.FN.get_year(x: datetime | str) -> intGet year from datetime.FN.greater_than(a: Any, b: Any) -> boolCheck if a is greater than b.FN.greater_than_or_equal(a: Any, b: Any) -> boolCheck if a is greater than or equal to b.FN.hash_md5(x: str | bytes) -> strGenerate MD5 hash of input string or bytes.FN.hash_sha1(x: str | bytes) -> strGenerate SHA1 hash of input string or bytes.FN.hash_sha256(x: str | bytes) -> strGenerate SHA256 hash of input string or bytes.FN.hash_sha512(x: str | bytes) -> strGenerate SHA512 hash of input string or bytes.FN.hours(x: int) -> timedeltaCreate timedelta with specified hours.FN.hours_between(start: datetime | str, end: datetime | str) -> floatHours between two datetimes.FN.intersection(a: Sequence[Any], b: Sequence[Any]) -> list[Any]Return a list containing the intersection of elements from two sequences.FN.ipv4_in_subnet(ipv4: str, subnet: str) -> boolCheck if IPv4 address is in the given subnet.FN.ipv4_is_public(ipv4: str) -> boolCheck if IPv4 address is public/global.FN.ipv6_in_subnet(ipv6: str, subnet: str) -> boolCheck if IPv6 address is in the given subnet.FN.ipv6_is_public(ipv6: str) -> boolCheck if IPv6 address is public/global.FN.is_empty(x: Sequence[Any]) -> boolCheck if sequence has length 0.FN.is_equal(a: Any, b: Any) -> boolCheck if a is equal to b.FN.is_in(item: Any, container: Sequence[Any]) -> boolCheck if item exists in a sequence.Aliases: FN.containsFN.is_json(x: str) -> boolCheck if a string is valid JSON.FN.is_not_empty(x: Sequence[Any]) -> boolCheck if sequence has length greater than 0.Aliases: FN.not_emptyFN.is_not_equal(a: Any, b: Any) -> boolCheck if a is not equal to b.Aliases: FN.not_equalFN.is_not_in(item: Any, container: Sequence[Any]) -> boolCheck if item does not exist in a sequence.Aliases: FN.does_not_contain, FN.not_inFN.is_not_null(x: Any) -> boolCheck if value is not None.Aliases: FN.not_nullFN.is_null(x: Any) -> boolCheck if value is None.FN.is_working_hours(x: datetime | str, start: str, end: str, include_weekends: bool = False, timezone: str | None = None) -> boolCheck if datetime is between two times (HH:MM or HH:MM:SS strings).FN.iter_product(*iterables: Sequence[Any]) -> list[tuple[Any, ...]]Generate cartesian product of sequences.FN.join(items: Sequence[str], sep: str) -> strJoin sequence of strings with separator.FN.length(obj, /)Return the number of items in a container.FN.less_than(a: Any, b: Any) -> boolCheck if a is less than b.FN.less_than_or_equal(a: Any, b: Any) -> boolCheck if a is less than or equal to b.FN.lookup(d: dict[Any, Any], k: Any) -> AnySafely get value from an object.FN.lowercase(x: str) -> strConvert string to lowercase.FN.map_keys(x: dict[str, Any], keys: dict[str, str]) -> dict[str, Any]Map keys in an object to new keys.FN.max(a: Any, b: Any) -> AnyReturn the maximum of two values.FN.merge(x: list[dict[Any, Any]]) -> dict[Any, Any]Merge list of objects. Similar to merge function in Terraform.FN.min(a: Any, b: Any) -> AnyReturn the minimum of two values.FN.minutes(x: int) -> timedeltaCreate timedelta with specified minutes.FN.minutes_between(start: datetime | str, end: datetime | str) -> floatMinutes between two datetimes.FN.mod(a: float | int, b: float | int) -> float | intCalculate modulo (remainder) of first number divided by second.FN.mul(a: float | int, b: float | int) -> float | intMultiply two numbers together.FN.normalize_email(email: str) -> strConvert sub-addressed email to a normalized email address.FN.not(x: bool) -> boolLogical NOT operation.FN.not_empty(x: Sequence[Any]) -> boolCheck if sequence has length greater than 0.Aliases: FN.is_not_emptyFN.not_equal(a: Any, b: Any) -> boolCheck if a is not equal to b.Aliases: FN.is_not_equalFN.not_in(item: Any, container: Sequence[Any]) -> boolCheck if item does not exist in a sequence.Aliases: FN.does_not_contain, FN.is_not_inFN.not_null(x: Any) -> boolCheck if value is not None.Aliases: FN.is_not_nullFN.now(as_isoformat: bool = False, timespec: str = auto) -> datetime | strReturn workflow logical time (local, naive) or current time if outside workflow.FN.or(a: bool, b: bool) -> boolLogical OR operation.FN.parse_csv(x: str) -> list[dict[str, Any]]Parse CSV string into list of objects.FN.parse_datetime(x: str, format: str) -> datetimeParse string to datetime using specified format.FN.parse_time(x: str) -> timeParse HH:MM:SS or HH:MM formatted string to a time object.FN.pow(a: float | int, b: float | int) -> float | intRaise first number to the power of second number.FN.prefix(x: str | list[str], prefix: str) -> str | list[str]Add a prefix to a string or list of strings.FN.prettify_json(x: Any) -> strConvert object to formatted JSON string.FN.range(start: int, end: int, step: int = 1) -> list[int]Create a range of integers from start to end (exclusive), with a step size.FN.regex_extract(pattern: str, text: str) -> str | NoneExtract the first captured group from text; fallback to full match if none.FN.regex_match(pattern: str, text: str) -> boolCheck if text matches regex pattern.FN.regex_not_match(pattern: str, text: str) -> boolCheck if text does not match regex pattern.FN.replace(x: str, old: str, new: str) -> strReplace all occurrences of old substring with new substring.FN.seconds(x: int) -> timedeltaCreate timedelta with specified seconds.FN.seconds_between(start: datetime | str, end: datetime | str) -> floatSeconds between two datetimes.FN.serialize(x: Any) -> strSerialize a JSON-compatible value to string.FN.serialize_json(x: Any) -> strConvert object to JSON string.FN.serialize_yaml(x: Any) -> strSerialize object to YAML string.FN.set_timezone(x: datetime | str, timezone: str) -> datetimeConvert datetime to different timezone. Timezone must be a valid IANA timezone name (e.g., “America/New_York”).FN.slice(x: str, start_index: int, length: int) -> strExtract a substring from start_index with given length.FN.slugify(x: str) -> strSlugify a string.FN.split(x: str, sep: str) -> list[str]Split a string into a list of strings by a seperator.FN.startswith(x: str, suffix: str) -> boolCheck if a string starts wit a specified suffix.FN.strip(x: str, chars: str) -> strRemoves all leading and trailing characters.FN.sub(a: float | int, b: float | int) -> float | intSubtract second number from first number.FN.suffix(x: str | list[str], suffix: str) -> str | list[str]Add a suffix to a string or list of strings.FN.sum(iterable: Iterable[float | int], start: float | int = 0) -> float | intReturn the sum of a ‘start’ value (default: 0) plus an iterable of numbers.FN.symmetric_difference(a: Sequence[Any], b: Sequence[Any]) -> list[Any]Return a list of elements that are in either sequence but not in both.FN.tabulate(x: list[dict[str, typing.Any]], format: Literal[markdown, html, csv, xml]) -> strFormat list of objects into markdown, html, csv, or xmlFN.titleize(x: str) -> strConvert a string to titlecase.FN.to_base64(x: str) -> strEncode string to base64.FN.to_base64url(x: str) -> strEncode string to URL-safe base64.FN.to_datetime(x: Any, timezone: str | None = None) -> datetimeConvert to timezone-aware datetime object from timestamp (in seconds), ISO 8601 string or existing datetime.FN.to_isoformat(x: datetime | str, timespec: str = auto) -> strConvert datetime to ISO format string.FN.to_keys(x: dict[Any, Any]) -> list[Any]Extract keys from an object.FN.to_markdown_list(x: list[str], ordered: bool = False) -> strFormat list of strings into Markdown list.FN.to_markdown_table(x: list[dict[str, typing.Any]]) -> strFormat list of dictionaries into Markdown table.FN.to_markdown_tasks(x: list[str]) -> strFormat list of strings into Markdown tasks.FN.to_time(x: datetime | str) -> timeConvert datetime to time.FN.to_timestamp(x: datetime | str, unit: str = s) -> intConvert datetime to timestamp in milliseconds (‘ms’) or seconds (‘s’).FN.to_values(x: dict[Any, Any]) -> list[Any]Extract values from an object.FN.today() -> dateReturn workflow logical time date (local) or current date if outside workflow.FN.union(a: Sequence[Any], b: Sequence[Any]) -> list[Any]Return a list containing the union of elements from two sequences.FN.unique(items: Sequence[Any]) -> list[Any]List of hashable items (e.g. strings, numbers) to remove duplicates from.FN.unset_timezone(x: datetime | str) -> datetimeRemove timezone information from datetime without changing the time.FN.uppercase(x: str) -> strConvert string to uppercase.FN.url_decode(x: str) -> strConverts percent-encoded characters back into their original form.FN.url_encode(x: str) -> strConverts URL-unsafe characters into percent-encoded characters.FN.utcnow(as_isoformat: bool = False, timespec: str = auto) -> datetime | strReturn workflow logical time (UTC, aware) or current UTC time if outside workflow.FN.uuid4() -> strGenerate a random UUID string.FN.wall_clock(as_isoformat: bool = False, timespec: str = auto) -> datetime | strReturn actual current wall clock time (local, naive).FN.weeks(x: int) -> timedeltaCreate timedelta with spcified weeksFN.weeks_between(start: datetime | str, end: datetime | str) -> floatWeeks between two datetimes or dates.FN.windows_filetime(x: datetime | str) -> intConvert datetime to Windows filetime.FN.zip(*iterables: Sequence[Any]) -> list[tuple[Any, ...]]Zip multiple sequences together.FN.zip_map(x: list[str], y: list[str]) -> dict[str, str]Zip two arrays into list of key-value pairs, then convert into mapping.Operator equivalents
Equivalent function names:
FN.orEquivalent function names:
FN.andEquivalent function names:
FN.is_equalEquivalent function names:
FN.is_not_equal, FN.not_equalEquivalent function names:
FN.less_thanEquivalent function names:
FN.less_than_or_equalEquivalent function names:
FN.greater_thanEquivalent function names:
FN.greater_than_or_equalEquivalent function names:
FN.addEquivalent function names:
FN.subEquivalent function names:
FN.mulEquivalent function names:
FN.divEquivalent function names:
FN.modEquivalent function names:
FN.contains, FN.is_inEquivalent function names:
FN.does_not_contain, FN.is_not_in, FN.not_in