Figure 28. Day of Week

Transformation expressions (also called Filter expressions) filter input or add/remove/modify fields on each event. These include filter expressions like:

time:dayOfWeekName(field=@timestamp, as=the_day)

This uses the time:dayOfWeekName() function to extract the day of the week from the timestamp for each event, and then format that value so as to return the name of the day of the week — and put that value in a field named, the day. You can see the results in the screenshot in Figure 1 here.

A subset of the available query functions are known as Transformation Functions, for example regex(), in() or eval(). Just like the examples above they only adds/removes/modifies fields and never produce new (additional) events as output.

If a query consists solely of transformation expressions it is known as filter query or transformation query. This kind of query is required when connecting Views with repositories.

Aggregation expressions are always function calls. These functions can combine their input into a new structure or emit new events into the output stream.

A query becomes an aggregation query if it uses at least one aggregate function like sum(), count() or avg().

For example, the query count() takes a stream of events as its input, and produces a single record containing a _count field.

Below are some examples:

loglevel = ERROR 
| timechart()

x := y * 2 
| bucket(function=sum(x))