Expressions are valid units of code that resolve to a value. Every syntactically valid expression resolves to some value but conceptually, there are two types of expressions: those that assign value to a variable (a.k.a with side effects) and those that evaluate to a value.
x = 42
newFoo = foo.slice(30)
(Math.random() * 42)
3 + 4
Filters are used in Routes to select a stream of the data flow, and in Functions to scope or narrow down the applicability of a function. They are expressions that must evaluate to either
true (or truthy) or
false (or falsy). Keep this in mind when creating routes or functions. For example:
sourcetype=='access_combined' && host.startsWith('web')
source.endsWith('.log') || sourcetype=='aws:cloudwatchlogs:vpcflow'
Values expressions are typically used in Functions to assign a value, for example, to a new field. For example:
- In a value expression ensure that the source variable is not null, undefined or empty. For example, if you want to have a field called
lento be assigned the length of a field called
employeeIDbut you're not sure if
employeeIDexists, instead of
employeeID.lengthyou can use a safer shorthand as such:
(employeeID || '').length.
- If a field does not exist (undefined) and you're doing a comparison with its properties the boolean expression will always evaluate to false. For example, if
employeeIDis undefined, then both of these expressions
employeeID.length > 10, and
employeeID.length < 10will evaluate to false.
==means equal to, while
===means equal value and equal type.. For example,
5 == 5evaluates to true, while
5 === "5"evaluates to false.
- Ternary operator is a very powerful way to create conditional values. For example, if you wanted to assign either
adultto a field
groupAgebased on the value of
ageyou can do:
(age >= 18) ? 'adult' : 'minor'
Wilcard Lists, as their name implies, accept strings with asterisks (*) to represent one or more term. They also accept strings that start with exclamation mark (!) to negate one or more terms.
Wildcard Lists are order sensitive only when negated terms are used. This allows for implementing any combination of whitelists and blacklists.
All terms that start with foo except foobar.
All terms except for those that start with foo.