Skip to content

Field Operations

Field Assignment

Assign computed values to new fields using :=:

severity := "high"
score := bytes * 2
sum := field1 + 5
label := status

Supports complex math with parentheses and division. When used after aggregations, references the computed aliases:

* | groupby(user) | stats(count(field=event_id, distinct=true, as=unique), count(field=event_id, as=total)) | confidence := ((total - unique) / total) * 0.95

Eval

Alternative syntax for field assignments inside a pipeline:

* | eval("score = bytes + priority")

Hash

Create a hash key from one or more fields:

* | hash(user)
* | hash(field=user, computer)
* | hash(user, event_id, as=composite_key)

Uses cityHash64 internally. Useful for creating composite keys for dictionary lookups.

Case Statements

Conditionally assign field values:

case {
  status=200 | result := "ok" ;
  status=404 | result := "not found" ;
  * | result := "other"
}

Conditions support =, !=, >, <, and regex patterns:

case {
  user=/admin/i | role := "admin" ;
  bytes>1000000 | size := "large" ;
  * | size := "small"
}

String Operations

Regex Extraction

* | regex("(\d+\.\d+\.\d+\.\d+)", field=raw_log)

Named captures extract to individual fields:

* | regex(field=image, regex="(.+)\\\\(?<executable_name>.*\\.exe)")

This creates a field called executable_name from the named capture group.

Replace

* | replace("password=\S+", "password=***", raw_log)

Concat

* | concat([user, host], as=user_host)

Lowercase

* | lowercase(user)

Uppercase

* | uppercase(user)