The extend operator in APL allows you to create new calculated fields in your result set based on existing data. You can define expressions or functions to compute new values for each row, making extend particularly useful when you need to enrich your data without altering the original dataset. You typically use extend when you want to add additional fields to analyze trends, compare metrics, or generate new insights from your data.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk, the eval command is used to create new fields or modify existing ones. In APL, you can achieve this using the extend operator.

```sql Splunk example index=myindex | eval newField = duration * 1000 ``` 
['sample-http-logs']
| extend newField = req_duration_ms * 1000

In ANSI SQL, you typically use the SELECT clause with expressions to create new fields. In APL, extend is used instead to define these new computed fields.

```sql SQL example SELECT id, req_duration_ms, req_duration_ms * 1000 AS newField FROM logs; ``` 
['sample-http-logs']
| extend newField = req_duration_ms * 1000

Usage

Syntax

| extend NewField = Expression

Parameters

  • NewField: The name of the new field to be created.
  • Expression: The expression used to compute values for the new field. This can include mathematical operations, string manipulations, or functions.

Returns

The operator returns a copy of the original dataset with the following changes:

  • Field names noted by extend that already exist in the input are removed and appended as their new calculated values.
  • Field names noted by extend that don’t exist in the input are appended as their new calculated values.

Use case examples

In log analysis, you can use extend to compute the duration of each request in seconds from a millisecond value.

Query

['sample-http-logs'] 
| extend duration_sec = req_duration_ms / 1000

Run in Playground

Output

_time req_duration_ms id status uri method geo.city geo.country duration_sec
2024-10-17 09:00:01 300 1234 200 /home GET London UK 0.3

This query calculates the duration of HTTP requests in seconds by dividing the req_duration_ms field by 1000.

You can use extend to create a new field that categorizes the service type based on the service’s name.

Query

['otel-demo-traces'] 
| extend service_type = iff(['service.name'] in ('frontend', 'frontendproxy'), 'Web', 'Backend')

Run in Playground

Output

_time span_id trace_id service.name kind status_code service_type
2024-10-17 09:00:01 abc123 xyz789 frontend client 200 Web
2024-10-17 09:00:01 def456 uvw123 checkoutservice server 500 Backend

This query adds a new field service_type that categorizes the service into either Web or Backend based on the service.name field.

For security logs, you can use extend to categorize HTTP statuses as success or failure.

Query

['sample-http-logs'] 
| extend status_category = iff(status == '200', 'Success', 'Failure')

Run in Playground

Output

_time id status uri status_category
2024-10-17 09:00:01 1234 200 /home Success

This query creates a new field status_category that labels each HTTP request as either a Success or Failure based on the status code.
  • project: Use project to select specific fields or rename them. Unlike extend, it doesn’t add new fields.
  • summarize: Use summarize to aggregate data, which differs from extend that only adds new calculated fields without aggregation.

Good evening

I'm here to help you with the docs.

I
AIBased on your context