Expressions are valid units of code that resolve to a value. Every syntactically valid expression resolves to some value but conceptually, there are two types of expressions: those that assign value to a variable (a.k.a with side effects) and those that evaluate to a value.
x = 42
newFoo = foo.slice(30)
(Math.random() * 42)
3 + 4
Filters are used in Routes to select a stream of the data flow, and in Functions to scope or narrow down the applicability of a function. They are expressions that must evaluate to either
true (or truthy) or
false (or falsy). Keep this in mind when creating routes or functions. For example:
sourcetype=='access_combined' && host.startsWith('web')
source.endsWith('.log') || sourcetype=='aws:cloudwatchlogs:vpcflow'
Values expressions are typically used in Functions to assign a value, for example, to a new field. For example:
- In a value expression ensure that the source variable is not null, undefined or empty. For example, if you want to have a field called
lento be assigned the length of a field called
employeeIDbut you're not sure if
employeeIDexists, instead of
employeeID.lengthyou can use a safer shorthand as such:
(employeeID || '').length.
- If a field does not exist (undefined) and you're doing a comparison with its properties the boolean expression will always evaluate to false. For example, if
employeeIDis undefined, then both of these expressions
employeeID.length > 10, and
employeeID.length < 10will evaluate to false.
==means equal to, while
===means equal value and equal type.. For example,
5 == 5evaluates to true, while
5 === "5"evaluates to false.
- Ternary operator is a very powerful way to create conditional values. For example, if you wanted to assign either
adultto a field
groupAgebased on the value of
ageyou can do:
(age >= 18) ? 'adult' : 'minor'