Function Traits and Arguments
Functions within LogScale are identified by their trait which provides an indication of what operation the function performs on the event stream. For more information, see Function Traits.
Function Traits
Individual functions have certain traits which
indicate the type of operation or effect on the event stream they have.
These traits both describe their effect, but also indicate compatibility
between different functions. For example the
window() accepts aggregate functions as the value
to the name argument.
Collects and summarize data. Combines events into new results — often a single number or row.
Example:
logscalegroupBy([protocol])Builds a summary of events organized by buckets according to the time of the event.
Example:
logscalebucket(1min, field=status_code, function=count())Returns a summarized list of events.
Example:
logscalehead(10)Performs a calculation or computation returning the information as a field in the event stream.
Example:
logscaleformattime("%A %d %B %Y, %R", as=fmttime, field=@timestamp, timezone=PST)Filters the events.
Example:
logscaleregex(regex="/user/(?<userid>\\S+)/pay", field=url)Events can be negated (prefixed with a !).
Example – show events that have
statuswith a value of422or200:logscalein(status, values=["422","200"])To negate the operation:
logscale!in(status, values=["404","500"])This includes events that don't have the quoted values of
404or500.Transforms the value of a field within each event and may add, remove or modify fields.
Example:
logscaleconcat([field1,"/",field2], as=combined)WithInputFieldUses the value of another field to influence the output of field transformation.
Example:
logscalein(status, values=["422","200"])
It's possible for more than one trait to apply to a function, for
example in() is both a filter and negatable.