Falcon LogScale Documentation

Figure 341. Day of Week

Transformation expressions (also called Filter expressions) filter input or adds/removes/modifies fields on each event. These include filter expressions like:

time:dayOfWeekName(field=@timestamp, as=the_day)

This uses the time:dayOfWeekName() function to extract the day of the week from the timestamp for each event, and then format that value so as to return the name of the day of the week — and put that value in a field named, the day. You can see the results in the screenshot in Figure 1 here.

A subset of the available query functions are known as Transformation Functions, for example regex(), in() or eval(). Just like the examples above they only adds/removes/modifies fields and never produce new (additional) events as output.

If a query consists solely of transformation expressions it is known as filter query or transformation query. This kind of query are required when connecting Views with repositories.

Aggregation expressions are always function calls. These functions can combine their input into a new structures or emit new events into the output stream.

A query becomes an aggregation query if it uses at least one aggregate function like sum(), count() or avg().

For example, the query count() takes a stream of events as its input, and produces a single record containing a _count field.

Below are some examples:

loglevel = ERROR | timechart()

x := y * 2 | bucket(function=sum(x))