Project Operator

Overview

Choose which fields to return, while optionally renaming them and/or calculating new ones using project.

| project [<dest>=]<expression>[, ...]

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329, "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"},
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "192.168.1.1", "elbStatusCode": 403, "sentBytes": 167, "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167, "requestHttpVersion": "HTTP/2.0", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "10.168.22.1", "elbStatusCode": 200, "sentBytes": 321, "requestHttpVersion": "HTTP/1.1", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61"}
];

Return only certain fields

The query below returns only the p_event_timeand clientIp fields:

aws_alb
| project p_event_time, clientIp

clientIp	p_event_time
192.168.11.34	2023-09-16 05:45:34.863
192.168.1.1	2023-09-16 05:59:04.058
10.168.22.7	2023-09-16 05:36:09.017
10.168.22.1	2023-09-16 05:36:09.017

Rename fields

aws_alb
| project p_event_time, client=clientIp

client	p_event_time
192.168.11.34	2023-09-16 05:45:34.863
192.168.1.1	2023-09-16 05:59:04.058
10.168.22.7	2023-09-16 05:36:09.017
10.168.22.1	2023-09-16 05:36:09.017

Calculate new fields

This functionality is similar to the extend operator.

aws_alb
| project p_event_time, client = clientIp,
          is_http_11 = requestHttpVersion == 'HTTP/1.1'

client	is_http_11	p_event_time
192.168.11.34	true	2023-09-16 05:45:34.863
192.168.1.1	true	2023-09-16 05:59:04.058
10.168.22.7	false	2023-09-16 05:36:09.017
10.168.22.1	true	2023-09-16 05:36:09.017

client

is_http_11

p_event_time

192.168.11.34

true

2023-09-16 05:45:34.863

192.168.1.1

true

2023-09-16 05:59:04.058

10.168.22.7

false

2023-09-16 05:36:09.017

10.168.22.1

true

2023-09-16 05:36:09.017

PreviousLimit Operator NextSort Operator

Last updated 2 months ago