Special-Use Expressions
A couple of variations on filter and value expressions bear special mention. This page is informational. No exercises required.
Parser Function – Fields Filter Expression
When you use the Stream Parser Function's Reserialize option, there is a special option that becomes available, called the Fields Filter Expression. This is basically a filter expression that's used in determining whether a field gets included when the event is reserialized:
Basically, the Function will loop through all of the fields, feed each field's name as name, and feed the field's value as value. If the result of the expression is truthy, the field is kept; but if falsy, it will be excluded.
In the above example, the expression means "Keep (reserialize) all fields, except fields that have the name level and the value info."
Here are some example key/value inputs to the expression, with corresponding results:
| Key/Value | Result |
|---|---|
level/"debug" | reserialized |
mylevel/"info" | reserialized |
level/"info" | excluded |
Other common expressions used here:
| Expression | Meaning |
|---|---|
value!==null | Exclude any fields with a null value. |
!name.startsWith("temp") | Exclude any fields whose name starts with temp. |
Rename Function – Renaming Expression
The Rename Function has a Rename Expression option that tells it how to rename fields.
Just like in the previous example, the Function will iterate through every field in the event, passing both its name and value to the expression. The above example includes use of the JavaScript ternary operator, which has the following syntax:
<true/false expression> ? <true result> : <false result>
It's basically an if/then/else statement in a single line. In the above example, it means that if the name of the field starts with the word out, then uppercase the field name, else leave it alone (by returning the original name).
Other common uses:
| Expression | Result |
|---|---|
name.toLowerCase() | Any uppercase characters in the field name get changed to lowercase. |
name.replace("geoip_src_country", "country") | Replace the string geoip_src_country with the string country. This is useful when JSON objects have been flattened (as in this case). This expression will leave alone any name without geoip_src_country, so no need for a ternary. |