FAQ: How do I create concatenated, formatted fields?
To create concatenated and formatted fields in LogScale including
grandparent, parent, and target processes, use the
default(), format(), and
select() functions:
logscale
#event_simpleName=ProcessRollup2
| default(field=GrandParentBaseFileName, value="Unknown")
| format(format="%s > %s > %s", field=[GrandParentBaseFileName, ParentBaseFileName, FileName], as="processLineage")
| select([aid, TargetProcessId, processLineage])