Project Operator

Overview

Choose which fields to return, while optionally renaming them and/or calculating new ones using project.

| project [<dest>=]<expression>[, ...]

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329, "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"},
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "192.168.1.1", "elbStatusCode": 403, "sentBytes": 167, "requestHttpVersion": "HTTP/1.1", "sslCipher": "TLS_AES_128_GCM_SHA256", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167, "requestHttpVersion": "HTTP/2.0", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15"},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "elb": "app/http-ingest-alb/71c6e92aca17df92", "clientIp": "10.168.22.1", "elbStatusCode": 200, "sentBytes": 321, "requestHttpVersion": "HTTP/1.1", "sslCipher": "ECDHE-RSA-AES128-GCM-SHA256", "userAgent": "Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61"}
];

Return only certain fields

The query below returns only the p_event_timeand clientIp fields:

aws_alb
| project p_event_time, clientIp

EVENT

{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34" }

{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1" }

{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7" }

{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1" }

Rename fields

aws_alb
| project p_event_time, client=clientIp

EVENT

{ "p_event_time": "2023-09-16 05:45:34.863", "client": "192.168.11.34" }

{ "p_event_time": "2023-09-16 05:59:04.058", "client": "192.168.1.1" }

{ "p_event_time": "2023-09-16 05:36:09.017", "client": "10.168.22.7" }

{ "p_event_time": "2023-09-16 05:36:09.017", "client": "10.168.22.1" }

Calculate new fields

This functionality is similar to the extend operator.

aws_alb
| project p_event_time, client = clientIp,
          is_http_11 = requestHttpVersion == 'HTTP/1.1'

EVENT

{ "p_event_time": "2023-09-16 05:45:34.863", "client": "192.168.11.34", "is_http_11": true }

{ "p_event_time": "2023-09-16 05:59:04.058", "client": "192.168.1.1", "is_http_11": true }

{ "p_event_time": "2023-09-16 05:36:09.017", "client": "10.168.22.7", "is_http_11": false }

{ "p_event_time": "2023-09-16 05:36:09.017", "client": "10.168.22.1", "is_http_11": true }

PreviousLimit Operator NextRange Operator

Last updated 27 days ago

Was this helpful?