V1 - Data Extraction - coalesce

coalesce

• coalesce(v1,v2,v3 …)

Return the first argument that is a non-empty string value.

Example:

function countByEventType()
  search
  let event_type=f("@event_type"), eventType=f("@eventType"), size=f("__size__"), timestamp=f("@timestamp")
  timechart {span="1h", limit=10} totalSize=sum(size) by eventType = coalesce(event_type, eventType)
end

env from="-48h<h", to="-1h>h"
stream countByEventType()