Keeps only the specified fields.
The fields command also ensures that the order of the fields in the output of the command aligns with the order of the fields specified as parameters of the command. Notably, the fields command creates a new field if a specified field is not present in the result generated by the previous pipeline stage.
fields fieldName [= Expression] [, ...]
The following query uses the fields command to keep only the fields event, k8s.pod.name, and status in the query result.
data record(event = "failed to find product",status = "NONE",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",k8s.namespace.name = "unguard",k8s.pod.name = "unguard-user-simulator-28334535-tqqxt")| fields event, k8s.pod.name, status
Query result:
| event | k8s.pod.name | status |
|---|---|---|
|
|
|
Note that the order of the fields in the query result matches the order of the parameters of the fields command.
The following query uses the fields command to rename the field dt.entity.process_group and create two new fields based on the given expressions. The fields command removes all other fields from the query result.
data record(event = "failed to find product",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",k8s.namespace.name = "unguard",k8s.pod.uid = "d3e93267-e7f9-4a2d-b5df-dc2ac226a7ce",status = "NONE")| fields concat(status, ": ", event),process_group = dt.entity.process_group,uid = upper(k8s.pod.uid)
Query result:
| concat(status, ": ", event) | process_group | uid |
|---|---|---|
|
|
|
Note that the expression concat(status, ": ", event) is also used as a field name in the query result since the fields command doesn't define an alias for this field.
The following query uses the fetch command to load the data from logs. By default, the query result includes all fields of the fetched data object. The fields command in the query below keeps only the fields listed as its parameters in the query result. In this example, the fields command also converts the loglevel field to lowercase by the DQL lower function and renames it to severity.
fetch logs| fields timestamp, severity = lower(loglevel), content
Evaluates an expression and appends or replaces a field.
fieldsAdd fieldName [= Expression] [, ...]
The following query adds the new field uid based on the expression upper(k8s.pod.uid).
data record(event = "failed to find product",k8s.pod.uid = "d3e93267-e7f9-4a2d-b5df-dc2ac226a7ce",status = "NONE")| fieldsAdd uid = upper(k8s.pod.uid)
Query result:
| event | k8s.pod.uid | status | uid |
|---|---|---|---|
|
|
|
|
The following query adds the new field severity based on evaluating the expression with the if function.
data record(event = "failed to find product",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",status = "NONE")| fieldsAdd severity = if(status == "NONE", "INFO", else: status)
Query result:
| event | dt.entity.process_group | status | severity |
|---|---|---|---|
|
|
|
|
The following query adds a new field based on an alternative condition.
For every alternative condition, you need a separate fieldsAdd command.
In the first fieldsAdd command, you don't need to set the else parameter in the if expression.
For every subsequent fieldsAdd command, you must set the added field in the else parameter.
data record(type = "event", count = 4, month = 3),record(type = "event", count = 3, month = 5),record(type = "event", count = 6, month = 9)| fieldsAdd quarter = if(month >= 1 and month <=3, "Q1")| fieldsAdd quarter = if(month >= 4 and month <= 6, "Q2", else:quarter)| fieldsAdd quarter = if(month >= 7 and month <= 9, "Q3", else: quarter)| fieldsAdd quarter = if(month >= 10 and month <= 12, "Q4", else:quarter)
Query result:
| type | count | month | quarter |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
The following example adds the new field severity based on the expression lower(loglevel).
fetch logs| fieldsAdd severity = lower(loglevel)
In case of identical field names, added fields override the existing fields in the processing stream. When two identical field names are specified in the DQL statement, a warning "The field <fieldName> overrides an existing field." is returned.
Keeps the selected fields. Contrary to the fields command, no new field is created in case it is not present on the record.
fieldsKeep fieldNameOrPattern [,...]
The following example keeps the fields event and status in the query result.
data record(event = "failed to find product",dt.entity.host = "HOST-6DF6DE092963F",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",k8s.namespace.name = "unguard",k8s.pod.name = "unguard-user-simulator-28334535-tqqxt",k8s.pod.uid = "d3e93267-e7f9-4a2d-b5df-dc2ac226a7ce",status = "NONE")| fieldsKeep event, status
Query result:
| event | status |
|---|---|
|
|
The fieldsKeep command supports string patterns using wildcards for referencing more than one field. To match any sequence of zero or more characters in the field name, you can use a * character anywhere in the string pattern.
A pattern supports a maximum of 64 wildcard characters. Consecutive wildcards (for example, **) aren't supported.
The following example keeps the fields where the field name starts with dt.entity. in the query result.
data record(event = "failed to find product",dt.entity.host = "HOST-6DF6DE092963F",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",k8s.namespace.name = "unguard",k8s.pod.name = "unguard-user-simulator-28334535-tqqxt",k8s.pod.uid = "d3e93267-e7f9-4a2d-b5df-dc2ac226a7ce",status = "NONE")| fieldsKeep event, "dt.entity.*"
Query result:
| event | dt.entity.host | dt.entity.process_group |
|---|---|---|
|
|
|
The following example fetches logs and keeps the timestamp, content, and all fields whose name starts with dt.entity.
fetch logs| fieldsKeep timestamp, content, "dt.entity.*"
Removes fields from the result.
| fieldsRemove fieldNameOrPattern [,...]
The following example removes the fields k8s.namespace.name, k8s.pod.name, and k8s.pod.uid from the query result.
data record(event = "failed to find product",dt.entity.host = "HOST-6DF6DE092963F",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",k8s.namespace.name = "unguard",k8s.pod.name = "unguard-user-simulator-28334535-tqqxt",k8s.pod.uid = "d3e93267-e7f9-4a2d-b5df-dc2ac226a7ce",status = "NONE")| fieldsRemove k8s.namespace.name, k8s.pod.name, k8s.pod.uid
Query result:
| event | dt.entity.host | dt.entity.process_group | status |
|---|---|---|---|
|
|
|
|
The following example uses the fieldsAdd command to generate a new field called severity. The fieldsRemove command removes the original loglevel field because it is duplicate information.
fetch logs| fieldsAdd severity = lower(loglevel)| fieldsRemove loglevel
The fieldRemove command supports string patterns using wildcards for referencing more than one field. To match any sequence of zero or more characters in the field name, you can use a * character anywhere in the string pattern.
A pattern supports a maximum of 64 wildcard characters. Consecutive wildcards (for example, **) aren't supported.
The following example uses the fieldsAdd command to generate a new field called severity.
The fieldsRemove command removes the field loglevel and all fields where the name starts with k8s.cluster..
fetch logs| fieldsAdd severity = lower(loglevel)| fieldsRemove loglevel, "k8s.cluster.*"
Renames a field.
fieldsRename fieldName = originalName, [,...]
The following example renames the fields dt.entity.host and dt.entity.process_group.
data record(event = "failed to find product",dt.entity.process_group = "PROCESS_GROUP-01A48F48FA09FE4A",dt.entity.host = "HOST-6DF6DE092963F",status = "NONE")| fieldsRename host = dt.entity.host, `Process Group` = dt.entity.process_group
Query result:
| event | Process Group | host | status |
|---|---|---|---|
|
|
|
|
The following example queries logs and renames the fields loglevel, log.source, and content.
fetch logs| fieldsRename severity = loglevel, source = log.source, logmessage = content
In case of identical field names, renamed fields override the existing fields in the processing stream. If two identical field names are specified in the DQL statement, the warning "The field <fieldName> overrides an existing field." is returned.