Creates a field with the name of the parameter
field
setting its value to
value
. If the field already exists on an event the
field keeps its existing value.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
field | string or array | required | The field or fields to set the default value for. An array of multiple field names can be passed to this parameter. | |
replaceEmpty | boolean | optional[a] | false | If the field's value is the empty string, override the value with the default. |
value [b] | string | required | Default value to assign to field , if not already set. | |
[a] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
value
can be omitted; the following forms of this function are equivalent:logscaledefault("value",field="value")
and:
logscaledefault(value="value",field="value")
These examples show basic structure only; full examples are provided below.
default()
Examples
Set the default value of the fields
minutes,
seconds and
hours to
0
so it can be used in a calculation. If
we did not do this, the event would be discarded during the eval step
because eval()
requires all used fields to be
present.
You can set an array as the field
parameter. This
will allow setting the same default value for multiple fields with a
single command.
default(field=[minutes, seconds, hours], 0)
Another example of convenient use of array as the
field
parameter would be:
default(field=[url, uri, link], "localhost")
You can use the field operator =~
and
default parameter (value
) to write it as:
minutes ~= default(0)
By default empty values are kept as the field does indeed exist when it
has the empty value. You can set replaceEmpty
to
true
to replace empty values with the default as well.
default(field=message, value="N/A", replaceEmpty=true)