Set a Field Value Based on Tag Value

Query

logscale
keyprocess := if(#eventType == "Spawn", then=ChildID, else=ProcessID)

Introduction

When processing event data, there are occasions when a value needs to be determined from another field in the event. In this example, the field keyprocess is populated based on the #eventType tag.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{Conditional} result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    keyprocess := if(#eventType == "Spawn", then=ChildID, else=ProcessID)

    Using the if(), set the value of keyprocess to the value of the ChildID if #eventType is Spawn; otherwise, set keyprocess to ProcessID.

  3. Event Result set.

Summary and Results

Using if() provides a simplified way of processing and parsing data when the test value can be easily identified.

In this example, the process ID has been identified based on whether it is the original or a spawn (child) process.