Selection and modification commands
fields
Keeps only the specified fields. If the field is not present in the result generated by the previous pipeline stage, a new field gets created.
-
Syntax
| fields fieldName [= Expression] [, ...] -
Example
In the following example, only three of all available fields returned from the
fetchstage are selected. Theloglevelfield is additionally converted to lowercase by the DQL lower function.1fetch logs2| fields timestamp, severity = lower(loglevel), contentAdditionally, the fields command ensures that the order of fields in the query output aligns with the order specified in the query.
fieldsAdd
Evaluates an expression and appends or replaces a field.
-
Syntax
| fieldsAdd fieldName [= Expression] [, ...] -
Example
The following example shows the difference between
fieldsandfieldsAdd. While thefieldscommand defines the result table by the fields specified, thefieldsAddcommand adds new fields to the existing fields.1fetch logs2| fieldsAdd severity = lower(loglevel)
In case of identical field names, added fields override the existing fields in the processing stream. When two identical field names are specified in the DQL statement, a warning "The field <fieldName> overrides an existing field." is returned.
fieldsKeep
Keeps the selected fields. Contrary to the fields command, no new field is created in case it is not present on the record.
-
Syntax
fieldsKeep fieldNameOrPattern [,...] -
Example
The following example uses the
fieldsKeepcommand to keep thetimestamp,contentand all fields with their name starting withdt.entity.1fetch logs2| fieldsKeep timestamp, content, "dt.entity.*"
fieldsRemove
Removes fields from the result.
-
Syntax
| fieldsRemove fieldNameOrPattern [,...] -
Example
The following example uses the
fieldsAddcommand to generate a new field calledseverity. In order to reduce the duplicated information that is still present in theloglevelfield, thefieldsRemovecommand is used to remove the originalloglevelfield.1fetch logs2| fieldsAdd severity = lower(loglevel)3| fieldsRemove loglevel
Working with string patterns
String patterns are a powerful tool for referencing more than one field. Here's how to quickly reference a list of fields matching a certain string pattern expression:
-
Example
1fetch logs2| fieldsAdd severity = lower(loglevel)3| fieldsRemove loglevel, 'k8s.cluster.*'
fieldsRename
Renames a field.
-
Syntax
fieldsRename fieldName = originalName, [,...] -
Example
1fetch logs2| fieldsRename severity=loglevel, source=log.source, logmessage = content
If the assigned alias, e.g. severity is colliding with an already existing field severity, the original field is overridden. In case two identical field names are specified in the DQL statement, a warning "The field <fieldName> overrides an existing field." is returned.