Generates temporary events as part of the query and is ideal for
generating sample data for testing or troubleshooting. It is regarded as
an aggregator function and, therefore, discards all incoming events and
outputs the generated ones. The events are generated with no extracted
fields but createEvents()
can, advantageously, be
combined with one of the many parsers. For example, given raw strings in
the format of key/value pairs, the pairs can be parsed to fields using the
kvParse()
function.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
rawstring [a] | string | required | Specification of events to emit. Each event is given as a @rawstring which is not processed further. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
rawstring
can be omitted; the following forms of this function are equivalent:logscale SyntaxcreateEvents("value")
and:
logscale SyntaxcreateEvents(rawstring="value")
These examples show basic structure only.
createEvents()
Examples
Two temporary events can be generated as follows:
createEvents(["animal=dog weight=7.0", "animal=cat weight=4.2"])
The generated output events are:
@rawstring | @timestamp |
---|---|
animal=dog weight=7.0 | 2022-10-31 08:14:09 |
animal=cat weight=4.2 | 2022-10-31 08:14:09 |
createEvents()
can be combined with different
parsers to generate more interesting events, for example, with
kvParse()
or parseJson()
. With
the key/value pair parser kvParse()
, two temporary
events with two fields can be generated as follows:
createEvents(["animal=dog weight=7.0", "animal=cat weight=4.2"])
| kvParse()
The events are specified as a string of key/value pairs
(key=value
), and parsed with
kvParse()
. The generated output events are:
@rawstring | @timestamp | animal | weight |
---|---|---|---|
animal=dog weight=7.0 | 2022-10-31 08:14:09 | dog | 7.0 |
animal=cat weight=4.2 | 2022-10-31 08:14:09 | cat | 4.2 |
Similarly, createEvents()
can be combined with
parseJson()
to parse
@rawstring as JSON:
createEvents(["{\"animal\":{\"kind\":\"dog\", \"weight\":7.0}}", "{\"animal\":{\"kind\":\"cat\", \"weight\":4.2}}"])
| parseJson()
The generated output events are:
@rawstring | @timestamp | animal.kind | animal.weight |
---|---|---|---|
{"animal":{"kind":"dog", "weight":7.0}} | 2022-10-31 08:14:09 | dog | 7.0 |
{"animal":{"kind":"cat", "weight":4.2}} | 2022-10-31 08:14:09 | cat | 4.2 |