choose - Keep a subset of keypaths
The choose keyword will remove all keypaths that are not specified. This is a powerful way of extracting only the values needed from a larger log document.
Note
The choose keyword also supports nested key paths in the output. See examples.
Syntax
Example - Extracting only key data from HTTP Access Logs
Consider the following document:
status_code: 200,
user: "Chris",
path: "/home",
x-forwarded-for-header: "",
user_agent: "Mozilla...."
For the purposes of our analysis, we only care about path and status code. We can use the choose keyword to extract only these two values:
This results in a document that looks like this:
Example - Extracting and flattening values from a complex log document
Some log documents are extremely complex and nested, and it can be challenging to work with them. While using the choose function to pull values out of these documents, we can also alias them to simpler keypaths:
This results in a document with a single value, bytes_received without the complex nested structure. This will make subsequent queries much simpler.
Example - Adding a constant value while extracting values
Sometimes it's important to add some constant value to a document, for example your username, if you're generating a report. This can also be done using the choose command:
choose http_request.metrics.bytes_metrics.bytes_received as bytes_received, 'Chris' as report_author
This will result in a document that looks like this:
Example - Performing a calculation on the fly
The choose command is also good for producing new values on the fly. Consider the following documents:
{
"response_bytes": 4065849304
},
{
"response_bytes": 5573222
},
{
"response_bytes": 990045767
},
{
"response_bytes": 1287340
}
We can use the choose command to extract converted values for the response_bytes fields in an incredibly expressive way:
This will result in the following documents: