This is a filter that lets you remove attributes and columns from a result set.
Omitted Argument NamesThe argument name for
fieldscan be omitted; the following forms of this function are equivalent:logscale Syntaxdrop(["value"])and:
logscale Syntaxdrop(fields=["value"])These examples show basic structure only.
drop() Examples
Click + next to an example below to get the full details.
Calculate a Percentage of Successful Status Codes Over Time
Query
| success := if(status >= 500, then=0, else=1)
| timeChart(series=customer,function=
[
{
[sum(success,as=success),count(as=total)]
| pct_successful := (success/total)*100
| drop([success,total])}],span=15m,limit=100)Introduction
Calculate a percentage of successful status codes inside the
timeChart() function field.
Step-by-Step
Starting with the source repository events.
- logscale
| success := if(status >= 500, then=0, else=1)Adds a success field at the following conditions:
If the value of field status is greater than or equal to
500, set the value of success to0, otherwise to1.
- logscale
| timeChart(series=customer,function= [ { [sum(success,as=success),count(as=total)]Creates a new timechart, generating a new series, customer that uses a compound function. In this example, the embedded function is generating an array of values, but the array values are generated by an embedded aggregate. The embedded aggregate (defined using the
{}syntax), creates asum()andcount()value across the events grouped by the value of success field generated from the filter query. This is counting the11 or0generated by theif()function; counting all the values and adding up the ones for successful values. These values will be assigned to the success and total fields. Note that at this point we are still within the aggregate, so the two new fields are within the context of the aggregate, with each field being created for a corresponding success value. - logscale
| pct_successful := (success/total)*100Calculates the percentage that are successful. We are still within the aggregate, so the output of this process will be an embedded set of events with the total and success values grouped by each original HTTP response code.
- logscale
| drop([success,total])}],span=15m,limit=100)Still within the embedded aggregate, drop the total and success fields from the array generated by the aggregate. These fields were temporary to calculate the percentage of successful results, but are not needed in the array for generating the result set. Then, set a span for the buckets for the events of 15 minutes and limit to 100 results overall.
Event Result set.
Summary and Results
This query shows how an embedded aggregate can be used to generate a sequence of values that can be formatted (in this case to calculate percentages) and generate a new event series for the aggregate values.
Count Events per Repository
Count of the events received by repository
Query
bucket(span=1d,field=#repo,function=count())
| @timestamp:=_bucket
| drop(_bucket)Introduction
Count of X events received by a repo (Cloud).
Step-by-Step
Starting with the source repository events.
- logscale
bucket(span=1d,field=#repo,function=count()) - logscale
| @timestamp:=_bucketUpdates the timestamp to the value generated by the
bucket() - logscale
| drop(_bucket)Discards the _bucket field from the results.
Event Result set.
Summary and Results
The query can be run on each repo. Or, create a view that looks across multiple repos and then run it from there to get all the repo counts in one search.
Remove Attributes, Columns/Fields From Result Set - Example 1
Drop a single field from a result set using the drop() function
Query
drop(header)Introduction
In this example, the drop() function is used to
remove the header field from result set.
Step-by-Step
Starting with the source repository events.
- logscale
drop(header)Drops a single field named header.
Event Result set.
Summary and Results
The query is used to remove data during ingest, in this example removing
a field. Removal of fields are useful if you have created fields in
sub-searches (extracted some values in new fields during the filtering
process) that are no longer needed in the final result set. If you want
to drop an entire event, it is possible to use the
dropEvent() function.
Remove Attributes, Columns/Fields From Result Set - Example 2
Drop two fields from a result set using the drop() function
Query
drop([header,value])Introduction
In this example, the drop() function is used to
remove the fields header and
value from result set.
Step-by-Step
Starting with the source repository events.
- logscale
drop([header,value])Drops both the field named header and the field named value.
Event Result set.
Summary and Results
The query is used to remove data during ingest, in this example removing
more fields. Removal of fields are useful if you have created fields in
sub-searches (extracted some values in new fields during the filtering
process) that are no longer needed in the final result set. If you want
to drop an entire event, it is possible to use the
dropEvent() function.