Evaluate Field Values Within Repository

Compare field values within the Falcon LogScale repository

Query

logscale
test(cputime < 7500)

Introduction

The test() function is used to evaluate arbitrary expressions as boolean values in a query. Arbitrary expressions are used for various purposes, like performing calculations, making decisions, and defining conditions.

In this example, the test() function evaluates the arbitrary expression < as a boolean value (true/false) and filters events when the expression returns true.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    test(cputime < 7500)

    Evaluates if the value of the field cputime is less than 7500.

  3. Event Result set.

Summary and Results

The query is used to compare a field value within the Falcon LogScale repository.