Evaluates an arbitrary expression as a boolean value and filters events when the expression returns true. Not only can Falcon LogScale make comparisons between one field and one value, but it can also compare more fields and their respective values, using the test() function.

Note

In test() unquoted strings are interpreted as field names.

ParameterTypeRequiredDefaultDescription
expression[a]expressionrequired  The expression to test.

[a] The argument name expression can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Hide negatable operation for this function

Show negatable operation for this function

test() Examples

The following tests if the value of the field foo is less than the value of the field bar:

logscale
test(foo < bar)

This example compares a field value within the LogScale repository:

logscale
test(cputime < 7500)

Check if field contains specific value

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(myField == "myOtherField")
Introduction

The test() function can be used to make comparisons between one field and one value, and it can also compare more fields and their respective values. In this example, the test() function is used to check if a field contains a specific value.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Returns all events where field myField holds the specific value myOtherField. Notice the use of double-quotations. If the string had been test(myField == myOtherField), then it would have returned results where the fields contained the same values and not a specific value.

    logscale
    test(myField == "myOtherField")

  3. Event Result set

Summary and Results

The query is used to check if a field contains a specific value. It is the same as myField = myOtherField except that this syntax does not support field names with spaces as the test() function does.

Check if fields contain same value

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(length(userid) == length(method))
Introduction

The test() function can be used to make comparisons between one field and one value, and it can also compare more fields and their respective values. In this example, the test() function is used to search for events where the userid field and method field have the same length.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Returns all events where field userid has the same length as the method field. This could for example be events with Chad and POST, and Peter and PATCH.

    logscale
    test(length(userid) == length(method))

  3. Event Result set

Summary and Results

The query is used to compare more fields and their respective values.

Compare more fields and filter for specific events

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(field1 != 2 * field2)
Introduction

The test() function can be used to make comparisons between one field and one value, and it can also compare more fields and their respective values. Furthermore, it is possible to use a negation to filter for specific events. In this example, the test() function is used to filter for events where the value of field1 is not exactly twice as large as the value in field2.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Filters for events where the value of the field field1 is not exactly twice as large as the value in field field2.

    logscale
    test(field1 != 2 * field2)

  3. Event Result set

Summary and Results

The query is used to compare more fields and filter for specific events that are not of a certain size.

Compare more fields and their respective values

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(field1 < field2)
Introduction

The test() function can be used to make comparisons between one field and one value, and it can also compare more fields and their respective values. In this example, the test() function is used to check if the value of field1 is less than the value in field2.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Evaluates if the value of the field field1 is less than the value in field field2.

    logscale
    test(field1 < field2)

  3. Event Result set

Summary and Results

The query is used to compare more fields and their respective values.

Evaluate Arbitrary Expression as Boolean Value

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(foo < bar)
Introduction

The test() function is used to evaluate arbitrary expressions as boolean values in a query. Arbitrary expressions are used for various purposes, like performing calculations, making decisions, and defining conditions. In this example, the test() function evaluates the arbitrary expression < as a boolean value (true/false) and filters events when the expression returns true.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Evaluates if the value of the field foo is less than the value of the field bar.

    logscale
    test(foo < bar)

  3. Event Result set

Summary and Results

The query is used to evaluate arbitrary expressions as boolean values in a query. This is used to filter events where the expression returns true. The difference between using the test() function instead of the match() function is that test() returns a boolean value and match() returns a string.

Evaluate Arbitrary Field Values for CPU Time within Repository

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(cputime < 7500)
Introduction

The test() function is used to evaluate arbitrary expressions as boolean values in a query. Arbitrary expressions are used for various purposes, like performing calculations, making decisions, and defining conditions. In this example, the test() function evaluates the arbitrary expression < as a boolean value (true/false) and filters events when the expression returns true.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Evaluates if the value of the field cputime is less than the value 7500 in a repository.

    logscale
    test(cputime < 7500)

  3. Event Result set

Summary and Results

The query is used to evaluate arbitrary expressions as boolean values in a query. This is used to filter events where the expression returns true. The difference between using the test() function instead of the match() function is that test() returns a boolean value and match() returns a string. Searching for CPU times is useful when troubleshooting performance issues in a system.

Evaluate field values within repository

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(cputime < 7500)
Introduction

The test() function is used to evaluate arbitrary expressions as boolean values in a query. Arbitrary expressions are used for various purposes, like performing calculations, making decisions, and defining conditions. In this example, the test() function evaluates the arbitrary expression < as a boolean value (true/false) and filters events when the expression returns true.

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Evaluates if the value of the field cputime is less than 7500.

    logscale
    test(cputime < 7500)

  3. Event Result set

Summary and Results

The query is used to compare a field value within the Falcon LogScale repository.