Set Default Values for Fields - Example 3 | LogScale Query Examples

Set Default Values for Fields - Example 3

Set default values for a field and replace empty values with relevant default value

Query

logscale

default(field=message, value="N/A", replaceEmpty=true)

Introduction

Setting default values of fields is necessary, if the fields are to be used in calculations with the eval() function. If not set to a value so the field is considered to be present, the event would be discarded during eval step.

In LogScale, empty values are by default kept as the field does indeed exist when it has the empty value.

This examples shows how to set replaceEmpty to true to replace empty values with the default as well.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
default(field=message, value="N/A", replaceEmpty=true)
```
Replaces an empty value in the field message with the default value "N/A" by setting replaceEmpty to true.
Event Result set.

Summary and Results

The query is used to replace empty values in a field to a defined default value. If not setting a default value for empty values, the event would be discharded during further eval steps because eval() requires all used fields to be present. The use of the default() function is important for data normalization and preparation in log analysis, ensuring consistent and complete data sets for further processing and analysis. For example, in a security event log, ensuring that all events have a message can be crucial for quick triage.

Examples Library