Field templates in expressions
A field template generates a field name by using a template. You can use field templates in expressions in the eval command.
When a field template is resolved, the expression is replaced by the string representation of the expression results.
For more information about expressions, see Types of expressions.
Syntax
The syntax for a field template starts with the dollar sign ( $ ) and uses curly braces ( { } ) to enclose the expression. Field templates must be enclosed in single quotation marks, such as '${expression}'.
If the expression contains a field name with special characters, that field name must be enclosed in single quotation marks. For example, if you use the field name désolé, in the field template you need quotations like this ...| eval '${'désolé'}' = 123.
Field template examples
Interpolating field names
Using a field template, you can add a field to your events where the field name is based on a value in your data.
The following search uses a field template '${city}' to interpolate the field name in the eval command:
SELECT * FROM [{city: "Seattle", Seattle: 123}] | eval '${city}' = 456Here's what's happening in this search.
In the FROM clause, the search uses the dataset literal [{city: "Seattle", Seattle: 123}], which is equivalent to these fields and values:
| city | Seattle |
|---|---|
| Seattle | 123 |
The eval command contains a field template expression '${city}' for the <field> argument portion of the eval command.
When the eval command is processed the field template '${city}' is resolved to Seattle. the value of the city field.
The eval command portion of the search becomes ...| eval Seattle = 456.
Since the Seattle field already exists in your data, the value in the field is overwritten.
The output looks like this:
| city | Seattle |
|---|---|
| Seattle | 456 |
Using multiple field templates in an expression
In this example, multiple field templates are used in the expression for the field name in an eval command.
Consider the following events, which are organized alphabetically by bridge name:
| city | country | length | name |
|---|---|---|---|
| Bristol | England | 1352 | Clifton Suspension Bridge |
| Venice | Italy | 36 | Bridge of Sighs |
| Singapore | Republic of Singapore | 918 | Helix Bridge |
| London | England | 1066 | Millennium Bridge |
| Shanghai | China | 27381 | Nanpu Bridge |
| Venice | Italy | unknown | Ponte della Paglia |
| Venice | Italy | 157 | Rialto Bridge |
| London | England | 801 | Tower Bridge |
eval command:
... | eval '${country}, ${city}' = name | sort countryThe values from the country and city fields combine to create new fields with the corresponding values for the bridge names. The results are sorted by the country field.
By default, the fields are arranged alphabetically with uppercase field names appearing before lowercase field names.
The results look like this:
| China, Shanghai | England, Bristol | England, London | Italy, Venice | Republic of Singapore, Singapore | city | country | length | name |
|---|---|---|---|---|---|---|---|---|
| Nanpu Bridge | Shanghai | China | 27381 | Nanpu Bridge | ||||
| Clifton Suspension Bridge | Bristol | England | 1352 | Clifton Suspension Bridge | ||||
| Millennium Bridge | London | England | 1066 | Millennium Bridge | ||||
| Tower Bridge | London | England | 801 | Tower Bridge | ||||
| Bridge of Sighs | Bridge of Sighs | Italy | 36 | Bridge of Sighs | ||||
| Ponte della Paglia | Venice | Italy | unknown | Ponte della Paglia | ||||
| Rialto Bridge | Venice | Italy | 157 | Rialto Bridge | ||||
| Helix Bridge | Singapore | Republic of Singapore | 918 | Helix Bridge |
Using a string in a field template
In this example, a string is concatenated to the field template.
The data consists of this information about precious metals:
| metal | price |
|---|---|
| gold | 1881.93 |
| silver | 24.26 |
The search looks like this:
... | eval 'value of ${metal}' = priceHere are the search results:
| metal | price | value of gold | value of silver |
|---|---|---|---|
| gold | 1881.93 | 1881.93 | |
| silver | 24.26 | 24.26 |
Combining field and string templates
You can use field templates and string templates in the same search.
Consider this data:
| park | type |
|---|---|
| Yellowstone | National |
| Palmetto | State |
Using a field template, the following search uses the values in the type field to generate the names of the fields in the search results. Using a string template, this search also uses the values in the type field as the values for the generated fields.
| SELECT * FROM [{type:"National", park:"Yellowstone"}, {type:"State", park:"Palmetto"}] | eval '${type} Park' = park + " ${type} Park"Here's what's happening in this search:
- The dataset literal in the FROM clause creates two fields,
typeandpark. - The
evalcommand uses a field template to generate the field names. The field template${type}includes the stringPark. - The values for the fields created by the
evalcommand are generated from three concatenated components:- The values in field name
park. - A string template, which uses the values in the
typefield. - The string
Park.
- The values in field name
| National Park | State Park | park | type |
|---|---|---|---|
| Yellowstone National Park | Yellowstone | National | |
| Palmetto State Park | Palmetto | State |