Skip to main content

replace

The replace operation replaces a single tag with a replacement subsequence of events, specified via a replace pattern. It must operate on an existing tag, which means a match or match split statement must come before the replace statement. How to assign event dimensions to the new subsequence can be specified using the dims clause.

Syntax

replace <old tag name> with <replace pattern> {dims
  <event dimension assignment 1>,
  <event dimension assignment 2>,
  ...}

<replace pattern> = <state 1> >> <state 2> >> ... OR null
<event dimension assignment> = <new tag name>.<event dimension name> =
  <expression using event dimensions on old tags>
<state> = {<new tag name>}({<event name> OR @<old tag name>}) OR
          <old tag name>
  • Replace pattern consists of elements, which can have exact quantifiers ({n}) and are separated by >>. Each element is one of the following:
    • Tag(new_event_name) - a new event with an optional tag name. If no event name is specified, it is set to NO_NAME.
    • Tag(@OldTag) - copy of events tagged as OldTag with an optional tag name.
    • OldTag - shorthand for OldTag(@OldTag) - commonly used to move existing events and their tag name.
  • Dimensions can be transferred between the tag being replaced and the new events using the dims clause, which is the same as the set operation but is performed during the replace operation and has access to the tags, which are being removed, on the right side of each assignment. For example: replace A with B(new_event) dims B.dim = A.dim.
  • ts dimension of newly created events are automatically set to the ts value of the first event in the replaced tag, unless it is explicitly assigned in the dims clause.
tip

To change one or a few dimensions on events, it is easier to use the set operation instead. For example:

  • rename events: set Tag.name = 'value'
  • move dimension from one event to another: set Tag1.dim = Tag2.dim

Examples

Remove events
replace Tag with null
Insert a new event
replace Tag with Tag >> (new_event)
Merge events
match A+
replace A with (new_single_event)
Reorder consecutive events
match event1 >> event2
replace MATCHED with event2 >> event1
Replace match with a single event
replace MATCHED with NewEvent(new_event)
Duplicate events
match Tag1(event1)
replace Tag1 with Tag1 >> Tag2(@Tag1)
Reduce sequence to matched events only
match event1 >> * >> event2 >> * >> event3
replace SEQ with event1 >> event2 >> event3
Keep last instance of a consecutive repeated event
match split A(event){2,}
replace A with A[-1]
combine