as Search Operator

The as operator is typically used in conjunction with other operators, but it can also be used alone to rename fields or to create new constant fields.

Syntax

<ExistingFieldName> as <field>

<literal> as <field>

Rules

Fields with characters not in the a-zA-Z0-9_ character set or that begin with a number need to be escaped, see reference a field with special characters for details.

Examples

Rename a Field

When you rename a field, the original field still exists, but the new field is added.

To rename the existing field ip_addr as src_ip, use:

ip_addr as src_ip

So, the following full query:

_sourceCategory=Apache/Access
| parse "* - - " as ip_addr
| ip_addr as src_ip

Would provide results like:

Create a New Constant Field

In this example, you will seed an existing field (src_ip) with a new constant (127.10.10.1):

_sourceCategory=Apache/Access
| "127.10.10.1" as src_ip

This statement “hardcodes" the value of 127.10.10.1 to the variable src_ip, for all the messages returned, as shown:

In this example, you will create a new field (test_src_ip) and seed it with a constant (127.10.10.1):

_sourceCategory=Apache/Access
| parse "* - -" as src_ip
| "127.10.10.1" as test_src_ip

Which provides the following results:

Use As in Conjunction with Other Operators

The as operator is useful for testing, for example, when you want to create a few log lines and seed them with specific values, like the following query:

_sourceCategory=Apache/Access
| limit 5
| "127.10.10.1" as src_ip
| "404" as status_code
| "www.sumologic.com" as url

Which provides the following results:

In this next example, you will use as after a parse, to name the variable in the pattern "\* - - " as src_ip:

_sourceCategory=Apache/Access
| parse "* - - " as src_ip

In this example, you will use as to rename the _count field to errors.  

_sourceCategory=Apache/Access status_code=404
| count(status_code) as errors