Create New Fields

Create new fields by evaluating the provided expression using the eval() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] result{{Result Set}} repo --> 1 1 --> result
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] result{{Result Set}} repo --> 1 1 --> result
logscale
eval(c = a + b)

Introduction

The eval() function can be used to create new fields based on an expression.

In this example, the eval() function is used to add the fields a and b together, creating a new field c containing the results.

Example incoming data might look like this:

@timestampab
2025-02-18T09:00:01.000Z105
2025-02-18T09:00:02.000Z2575
2025-02-18T09:00:03.000Z10050
2025-02-18T09:00:04.000Z317
2025-02-18T09:00:05.000Z4555
2025-02-18T09:00:06.000Z8020
2025-02-18T09:00:07.000Z3030
2025-02-18T09:00:08.000Z150150

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[\Add Field/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    eval(c = a + b)

    Adds the values of field a and field b together and returns the sum of these in a new field named c.

  3. Event Result set.

Summary and Results

The query is used to create a new field containing the sum of two other fields. In case the field c already existed, it would just be modified with the new value. The eval() function is useful when testing and debugging. You can for example use it to test a complex function or expression with different inputs and quickly check the output in the returned values.

Sample output from the incoming example data:

abc
10515
2575100
10050150
31720
4555100
8020100
303060
150150300

Note that the new field c contains the sum of the values from fields a and b for each event.