Creates a field with the name of the parameter
field
setting its value to
value
. If the field already exists on an event the
field keeps its existing value.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
field | string or array | required | The field or fields to set the default value for. An array of multiple field names can be passed to this parameter. | |
replaceEmpty | boolean | optional[a] | false | If the field's value is the empty string, override the value with the default. |
value [b] | string | required | Default value to assign to field , if not already set. | |
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
value
can be omitted; the following forms of this function are equivalent:logscale Syntaxdefault("value",field="value")
and:
logscale Syntaxdefault(value="value",field="value")
These examples show basic structure only.
default()
Examples
Set the default value of the fields
minutes,
seconds and
hours to
0
so it can be used in a calculation. If
we did not do this, the event would be discarded during the eval step
because eval()
requires all used fields to be
present.
You can set an array as the field
parameter. This
will allow setting the same default value for multiple fields with a
single command.
default(field=[minutes, seconds, hours], 0)
Another example of convenient use of array as the
field
parameter would be:
default(field=[url, uri, link], "localhost")
You can use the field operator =~
and
default parameter (value
) to write it as:
minutes ~= default(0)
By default empty values are kept as the field does indeed exist when it
has the empty value. You can set replaceEmpty
to
true
to replace empty values with the
default as well.
default(field=message, value="N/A", replaceEmpty=true)