Calculated Fields

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Use calculated fields to transform and enrich your log data at query time. Define formulas to:

Once defined, a calculated field can be used like any log attribute for search, aggregation, visualization, and even defining other calculated fields.

Notes:

  • You can define up to five calculated fields at a time.
  • Calculated fields are temporary and do not persist beyond a given Log Explorer session. If a calculated field may be repeatedly useful, update your log pipelines to encode the information in your logs when they are ingested and processed.

Create a calculated field

There are two entry points for creating a calculated field in the Log Explorer: from the Add menu or from within a specific log event or attribute.

Choose a starting point for your calculated field

From the Add menu

  1. Navigate to Log Explorer.
  2. Click the Add button next to the search bar.
  3. Select Calculated field.

This is a quick way to create a calculated field when you are already familiar with the structure and content of the logs you are interested in.

From a specific log event or attribute

  1. Navigate to Log Explorer.
  2. Click on a log event of interest to open the side panel.
  3. Click on a specific JSON attribute to open the context menu.
  4. Select Create calculated from….
The log panel duration attribute with the option to create a calculated field for it

This approach allows you to adapt quickly during an investigation or explore unfamiliar logs. For example, you may want to multiply or concatenate two values and store the result in a single field to simplify a graph or answer a specific question.

Define a calculated field

A calculated field for throughput, with a formula that divides the network.bytes attribute by the duration attribute

Name

Set a descriptive name that clearly indicates the purpose of the calculated field. For example, if the goal is to capitalize users’ first and last names and concatenate them into one field, you might use the name formatted_name for the calculated field. To subsequently filter logs from a user named Bob Smith, update your query to include #formatted_name:"Bob Smith".

Note: You must use the # prefix to refer to calculated fields in searches, aggregation, or other calculated field definitions.

Formula

The formula (or expression) determines the result to be computed and stored as the value of the calculated field for each log event. Valid constructs include log attributes, other calculated fields, and a set of supported functions and operators. Relevant fields, functions, and operators are automatically suggested as you write or edit the formula.

See Calculated Fields Expression Language for the available functions and operators.

Use a calculated field

After successful creation of a calculated field, the Log Explorer updates to:

  • Display active calculated fields in a new row directly under the search bar.
    • Hover over a field to view its definition, and use quick actions to edit, filter by, or group by the field.
  • Include a column for the calculated field in the List visualization. The title includes the # prefix.
  • Show calculated fields in a separate section inside the log side panel.

Calculated fields function like log attributes and can be used for search, aggregation, visualization, and defining other calculated fields. Remember to use the # prefix when referencing calculated field names.

A calculated field called request_duration used to filter results in the Log Explorer

Use cases

Calculated fields are not a replacement for log pipelines and processors for ingest-time parsing, normalization, and enrichment of logs. Use calculated fields in the following scenarios:

  • You need to perform a one-off investigation or ad-hoc analysis which requires a field that you don’t need to reuse in the long-term.
  • You need to retroactively update indexed logs to answer a certain question (pipelines changes only apply to logs ingested after a pipeline update).
  • You lack the permission (or knowledge) to modify log pipelines in a timely manner.
    • The calculated fields you create are visible only to you, which makes them ideal for quick exploration and worry-free experimentation.

If you realize that a calculated field may be valuable in the long-term, update your log pipelines so you and the rest of your team can benefit from automated processing.

Further reading

Documentation, liens et articles supplémentaires utiles: