Skip to main content

Value Expression Examples

For these examples, we'll start with an empty Pipeline, and build it up. There is a sample file of Palo Alto firewall log data that we'll be using for these examples.

important
  1. If you still have the Capture Sample Data modal open, click Cancel to close it.
  2. Make sure Processing / Pipelines is selected in Stream's top nav. If necessary, drag the pane and column dividers to the right, so that you can see Pipeline names in the left pane.
  3. Click the Pipeline named value_starter.
  4. In the right Sample Data pane, find the firewall_sample.log sample file, and click the Simple preview link to its right.
  5. In the left pane, click the Add Function button, and search for and select the Eval function (or select it from the drop-down's Standard section).

At this point, the Stream screen should look something like this:

Pipeline Screen

...and we're ready to start.

important
  1. In the Eval Function's Evaluate Fields section, click + Add Field. In the resulting table, enter domain in the Name field, and paste following expression into the Value Expression field: 
    (src_hostname || dest_hostname).substr((src_hostname||dest_hostname).indexOf('.')+1)
  2. Click Save
  3. In the right Preview Simple pane, click the OUT button near the top. This will show you the results of the Pipeline changes.

This expression is similar to the domain example on the previous page, but it will base it off of the src_hostname field if that exists, or else off the dest_hostname field if src_hostname does not exist. If you look at the data on the right, you'll see the new domain field highlighted in green, and it will contain either the src_hostname or the dest_hostname field's value without the hostname.

Now, let's use the sample data's generated_time field to create a new field that contains the UNIX-style timestamp version of that field.

important
  1. In the Eval Function's Evaluate Fields section, click + Add Field to add a second row to the table.
  2. Enter generated_epochtime in the new row's Name field.
  3. Enter the following expression in the new row's Value Expression field: 
    Date.parse(generated_time).toString()
  4. Click Save.

You should now see a new field in the output pane, called generated_epochtime, which contains the number of milliseconds since the epoch (January 1, 1970, 1200am UTC).