Extend Operator
Overview
Add new calculated fields with extend.
Examples
Example data
Add a new field
The query below adds the field sentKB, which is calculated by dividing the value of sentBytes by 1024:
{ "p_event_time": "2023-09-16 05:59:04.058", "sentBytes": 167, "sentKB": 0.1630859375, "type": "https" }
{ "p_event_time": "2023-09-16 05:45:34.863", "sentBytes": 329, "sentKB": 0.3212890625, "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "sentBytes": 167, "sentKB": 0.1630859375, "type": "https" }
{ "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992, "sentKB": 458, "type": "https" }
Add multiple new fields
The query below adds multiple fields, separated by commas:
{ "p_event_time": "2023-09-16 05:59:04.058", "sentBytes": 167, "sentKB": 0.1630859375, "sentMB": 0.0001592636108398438, "type": "https" }
{ "p_event_time": "2023-09-16 05:45:34.863", "sentBytes": 329, "sentKB": 0.3212890625, "sentMB": 0.0003137588500976562, "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "sentBytes": 167, "sentKB": 0.1630859375, "sentMB": 0.0001592636108398438, "type": "https" }
{ "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992, "sentKB": 458, "sentMB": 0.447265625, "type": "https" }
Reference added fields in subsequent expressions
Added fields can be referenced in subsequent query expressions, for example in a where operator:
{ "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992, "sentKB": 458, "type": "https" }
Remove a field
Fields can also be removed using extend by setting them to null:
{ "p_event_time": "2023-09-16 05:59:04.058", "type": "https" }
{ "p_event_time": "2023-09-16 05:45:34.863", "type": "https" }
{ "p_event_time": "2023-09-16 05:36:09.017", "type": "https" }
{ "p_event_time": "2023-09-16 05:27:39.177", "type": "https" }
Last updated
Was this helpful?