Creates a field with the name of the parameter field setting its value to value. If the field already exists on an event the field keeps its existing value.

fieldstring or arrayrequired  The field or fields to set the default value for. An array of multiple field names can be passed to this parameter.
replaceEmptybooleanoptional[a]false If the field's value is the empty string, override the value with the default.
value[b]stringrequired  Default value to assign to field, if not already set.

[a] Optional parameters use their default value unless explicitly set

[b] The argument name value can be omitted.

Omitted Argument Names

The argument name for value can be omitted; the following forms of this function are equivalent:




These examples show basic structure only; full examples are provided below.

default() Examples

Set the default value of the fields minutes, seconds and hours to 0 so it can be used in a calculation. If we did not do this, the event would be discarded during the eval step because eval() requires all used fields to be present.

You can set an array as the field parameter. This will allow setting the same default value for multiple fields with a single command.

default(field=[minutes, seconds, hours], 0)

Another example of convenient use of array as the field parameter would be:

default(field=[url, uri, link], "localhost")

You can use the field operator =~ and default parameter (value) to write it as:

minutes ~= default(0)

By default empty values are kept as the field does indeed exist when it has the empty value. You can set replaceEmpty to true to replace empty values with the default as well.

default(field=message, value="N/A", replaceEmpty=true)