FAQ: How do I create concatenated, formatted fields?

To create concatenated and formatted fields in LogScale including grandparent, parent, and target processes, use the default(), format(), and select() functions:

logscale
#event_simpleName=ProcessRollup2
| default(field=GrandParentBaseFileName, value="Unknown")
| format(format="%s > %s > %s", field=[GrandParentBaseFileName,  ParentBaseFileName, FileName], as="processLineage")
| select([aid, TargetProcessId, processLineage])