Adding Test Values (or Test Fields) to Existing Log Lines

Sometimes you want to test your query to make sure you are parsing (or aggregating or counting or joining or...) correctly. This query shows you the syntax to either seed existing fields with test values, or create new fields altogether.

_sourceCategory=Apache/Access 
| limit 5 
| "127.34.45.12" as Test_src_ip 
| "404" as Test_status_code 
| "/blog/index.php" as Test_url

Also, to specify which fields you want to include/exclude in your results, use the fields operator. For example, to include all fields, but exclude the original message, add: 

| fields -_raw 

* where _raw is the name of the field for the raw message.

To include only the url fields, add: 

| fields url, Test_url