This is a filter that lets you remove attributes and columns from a result set.

ParameterTypeRequiredDefault ValueDescription
fields[a]array of stringsrequired   The names of the fields to discard.

[a] The parameter name fields can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

drop() Examples

Click + next to an example below to get the full details.

Calculate a Percentage of Successful Status Codes Over Time

Query
logscale
| success := if(status >= 500, then=0, else=1)
| timeChart(series=customer,function=
[
  {
    [sum(success,as=success),count(as=total)]
| pct_successful := (success/total)*100
| drop([success,total])}],span=15m,limit=100)
Introduction

Calculate a percentage of successful status codes inside the timeChart() function field.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    | success := if(status >= 500, then=0, else=1)

    Adds a success field at the following conditions:

    • If the value of field status is greater than or equal to 500, set the value of success to 0, otherwise to 1.

  3. logscale
    | timeChart(series=customer,function=
[
  {
    [sum(success,as=success),count(as=total)]

    Creates a new timechart, generating a new series, customer that uses a compound function. In this example, the embedded function is generating an array of values, but the array values are generated by an embedded aggregate. The embedded aggregate (defined using the {} syntax), creates a sum() and count() value across the events grouped by the value of success field generated from the filter query. This is counting the 11 or 0 generated by the if() function; counting all the values and adding up the ones for successful values. These values will be assigned to the success and total fields. Note that at this point we are still within the aggregate, so the two new fields are within the context of the aggregate, with each field being created for a corresponding success value.

  4. logscale
    | pct_successful := (success/total)*100

    Calculates the percentage that are successful. We are still within the aggregate, so the output of this process will be an embedded set of events with the total and success values grouped by each original HTTP response code.

  5. logscale
    | drop([success,total])}],span=15m,limit=100)

    Still within the embedded aggregate, drop the total and success fields from the array generated by the aggregate. These fields were temporary to calculate the percentage of successful results, but are not needed in the array for generating the result set. Then, set a span for the buckets for the events of 15 minutes and limit to 100 results overall.

  6. Event Result set.

Summary and Results

This query shows how an embedded aggregate can be used to generate a sequence of values that can be formatted (in this case to calculate percentages) and generate a new event series for the aggregate values.

Count Events per Repository

Count of the events received by repository

Query
logscale
bucket(span=1d,field=#repo,function=count())
| @timestamp:=_bucket
| drop(_bucket)
Introduction

Count of X events received by a repo (Cloud).

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    bucket(span=1d,field=#repo,function=count())

    Buckets the values, using the field #repo using a count()

  3. logscale
    | @timestamp:=_bucket

    Updates the timestamp to the value generated by the bucket()

  4. logscale
    | drop(_bucket)

    Discards the _bucket field from the results.

  5. Event Result set.

Summary and Results

The query can be run on each repo. Or, create a view that looks across multiple repos and then run it from there to get all the repo counts in one search.

Remove Attributes, Columns/Fields From Result Set - Example 1

Drop a single field from a result set using the drop() function

Query
logscale
drop(header)
Introduction

In this example, the drop() function is used to remove the header field from result set.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    drop(header)

    Drops a single field named header.

  3. Event Result set.

Summary and Results

The query is used to remove data during ingest, in this example removing a field. Removal of fields are useful if you have created fields in sub-searches (extracted some values in new fields during the filtering process) that are no longer needed in the final result set. If you want to drop an entire event, it is possible to use the dropEvent() function.

Remove Attributes, Columns/Fields From Result Set - Example 2

Drop two fields from a result set using the drop() function

Query
logscale
drop([header,value])
Introduction

In this example, the drop() function is used to remove the fields header and value from result set.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    drop([header,value])

    Drops both the field named header and the field named value.

  3. Event Result set.

Summary and Results

The query is used to remove data during ingest, in this example removing more fields. Removal of fields are useful if you have created fields in sub-searches (extracted some values in new fields during the filtering process) that are no longer needed in the final result set. If you want to drop an entire event, it is possible to use the dropEvent() function.