Generates temporary events as part of the query and is ideal for
generating sample data for testing or troubleshooting. It is
regarded as an aggregator function and, therefore, discards all
incoming events and outputs the generated ones. The events are
generated with no extracted fields but
createEvents() can, advantageously, be
combined with one of the many parsers. For example, given raw
strings in the format of key/value pairs, the pairs can be
parsed to fields using the kvParse()
function.
The createEvents() function generates temporary
events as part of the query. The function is ideal for generating sample
data for testing or troubleshooting.
Creates two temporary events to be used for testing purposes. An event
with dog and an event with
cat.
Event Result set.
Summary and Results
The query is used to create temporary events. The
createEvents() function can be combined with
different parsers to generate more interesting events, for example, with
kvParse() or parseJson().
Sample output from the incoming example data:
@rawstring
@timestamp
@timestamp.nanos
animal=dog weight=7.0
1733310508872
0
animal=cat weight=4.2
1733310508872
0
Create Two Temporary Events for Troubleshooting - Example 2
Create two temporary events for testing or troubleshooting using the createEvents() function with parseJson()
In this example, the bit field is named
flags and has the value
4 corresponding to the bit string
00000100. The goal is to extract two
flags based on their bit value.
Step-by-Step
Starting with the source repository events.
logscale
createEvents(["flags=4"])
Creates a temporary event that includes a new field named
flag to be used for testing
purposes. Bit flags are one or more (up to 32) Boolean values stored in
a single number variable.
logscale
|kvParse()
Parses the raw text looking for the key/value pairs and creates the
corresponding fields in the event. In this case a single field named
flags with the value
8.
When specifying the values for the bit field, values start from bit 0
(2^0 or decimal 1). The invidual
bit values are defined using an array of arrays. Each array index
should specify the bit number (not literal value) and the field to be
created. Each field will then be set to
true if the bit was enabled in
the compared field.
In the above example, ErrorFlag
located at bit 1 (2^1, decimal 2), and
WarningFlag located at index
2 (decimal 4).
Event Result set.
Summary and Results
The query is used to extract and match values to bit flags. Creating
events based on bit flags are useful when testing and troubleshooting on
values, as it is faster to compare values stored as bitmasks compared to
a series of booleans. Furthermore, events based on bit flags uses
considerably less memory.
Sample output from the incoming example data:
ErrorFlag
WarningFlag
false
true
Perform a Free-Text Search in Rawstring
Perform a free-text search in a rawstring using the createEvents() function
Query
logscale
createEvents(["foobar"])|@rawstring="*foo*"
Introduction
In this example, the createEvents() function is
used to do a free-text search for
fooin a rawstring. The
* around the value is to ensure,
that we are looking for any value in @rawstring
where foo is in the middle with
any prefix or suffix.
Step-by-Step
Starting with the source repository events.
logscale
createEvents(["foobar"])|@rawstring="*foo*"
Free-text searches for foo in a
rawstring. Notice that you must add
* around the free text string
foo.
Event Result set.
Summary and Results
The query is used specifically to perform a free-text search in the
@rawstring field. This can be useful in any case
you may want to search a specific field name to check for that first
part.
