How-To: Assign or Create a Dynamic Field

While the documentation lists several methods, the easiest way to assign or create a dynamic field is to use the eval() function's shorthand, :=. Fields before := will be assigned the value of whatever comes after it, including strings, functions, other fields, etc.

For example, if bytes already has a byte count and you'd like to convert that to megabytes:

megabytes := bytes * 0.000001

If you'd like to have thisBytes created and assigned the value of thatBytes:

logscale

thisBytes := thatBytes

If you'd like to find the average string length of @rawstring:

logscale

eventLength := length(@rawstring)
| avg(eventLength)

Keep in mind, fields and values are dynamic, meaning they do not exist outside of query results. They will not be permanently added to your ingested logs.

Knowledge Base

How-To: Assign or Create a Dynamic Field

Enter search term