The built-in function library WhisperGraph Cypher ships — aggregation, string, numeric, collection, node, type-conversion, and date functions.
Updated July 2026
Functions Documentation
WhisperGraph Cypher ships a function library you use inside RETURN, WITH, and WHERE. The tables below give the call and the value it returns. For the clauses that hold these functions, see Syntax & Clauses; for the CALL procedures (explain, whisper.variants, whisper.history, whisper.origins), see Procedures.
Aggregation
Aggregations collapse rows; any non-aggregated column in the same RETURN or WITH becomes a grouping key.
Input that cannot be parsed yields null rather than an error — toInteger("abc") returns null.
Date and time
Function
Example
Result
timestamp
timestamp()
epoch millis
date
toString(date())
2026-06-17
datetime / localdatetime / time
datetime()
a datetime
duration
duration("P1D")
a duration
Geospatial and misc
Function
Example
Result
point
point({x:1.0,y:2.0})
a point
distance
distance(point({x:0,y:0}), point({x:3,y:4}))
geographic distance (x,y treated as lon,lat)
coalesce
coalesce(a.missing, "default")
default
randomUUID
randomUUID()
a UUID string
Reading threat properties off a node
You do not need a function to read a verdict — the threat posture lives directly on the node. An IPV4 node carries threatScore, threatLevel, isThreat, isTor, and isAnonymizer, so a single anchored read gives you the whole posture with no extra hops.
MATCH (ip:IPV4 {name: "185.220.101.1"})
RETURN ip.name AS ip, ip.threatScore AS score, ip.threatLevel AS level,
ip.isThreat AS isThreat, ip.isTor AS isTor, ip.isAnonymizer AS isAnonymizer
LIMIT1
For the scored reasoning behind a verdict — the feeds, weights, and factors — call explain(). See explain() — Threat Verdicts.