default( ) Query Function

Creates a field with the name of the parameter field setting its value to value. If the field already exists on an event the field keeps its existing value.


Name Type Required Default Description
value string Yes The default value that will be assigned to field if not already set.
replaceEmpty bool No false If the field’s value is the empty string, override the value with the default.
field string Yes The field to set the default value for.

value is the unnamed parameter.


Set the default value of the field minutes to 0 so it can be used in a calculation. If we did not to this, the event would be discarded during the eval step because eval requires all used fields to be present.

default(field=minutes, value=0)

You can use the field operator =~ and default parameter (value) to write it as:

minutes ~= default(0)

By default empty values are kept as the field does indeed exist when it has the empty value. You can set replaceEmpty=true to replace empty values with the default as well.

default(field=message, value="N/A", replaceEmpty=true)