evtctxdel
Deletes the event context identified by the specified topic and key when input data matches a condition expression.
Command properties
| Item | Description |
|---|---|
| Command type | Transforming |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
topic=STR- Event topic name. Specifies the topic of the event context to delete. Ignored when
dynamic=t. key=STR- Name of the field from which to extract the event context key value. Ignored when
dynamic=t. logtick=STR- Name of the external clock host field. When specified, the host name is extracted from that field in the input record, and the event clock advances based on the time in the
_timefield. dynamic=BOOL- When set to
t, thetopicandkeyvalues are taken from fields in the input record.
Target
EXPR- Condition expression for deleting an event context. The event context is deleted when the result of evaluating the expression is neither null nor false.
Input fields
When dynamic=t is not set:
| Field | Type | Required | Description |
|---|---|---|---|
Field specified in the key option | Any | Required | Event context key value. If null, the event context is not deleted. |
When dynamic=t is set:
| Field | Type | Required | Description |
|---|---|---|---|
topic | string | Required | Event topic name. If null or not a string, an error message is assigned to the _error field. |
key | Any | Required | Event context key value. If null, an error message is assigned to the _error field. |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 23400 | topic 옵션을 설정해주세요. | The topic option is missing when dynamic=t is not set |
| 23401 | key 옵션을 설정해주세요. | The key option is missing when dynamic=t is not set |
| 23402 | evtctxdel 명령어를 실행할 조건식을 지정하십시오. | The condition expression is not specified |
Runtime errors
N/A
Description
The evtctxdel command iterates over input records, and when each record matches the condition expression, it deletes the event context identified by the specified topic and key from the in-memory store. Use this command to explicitly remove event contexts created by the evtctxadd command when a specific condition is met.
When you use the dynamic=t option, the topic and key are taken dynamically from fields in the input record. In dynamic mode, if a required field is missing or its value is invalid, an error message is assigned to the _error field of that record, and the event context is not deleted.
Input records are passed to the next command regardless of whether an event context is deleted.
Examples
-
Delete a login failure event context on successful login
table duration=1h login_logs | evtctxdel topic=login_fail key=src_ip result == "success"Deletes the login failure event context for the corresponding
src_ipwhen a login succeeds. -
Delete an event context in dynamic mode
json "[{'topic': 'brute_force', 'key': '192.0.2.1', 'result': 'success'}]" | evtctxdel dynamic=t result == "success"Dynamically deletes event contexts using the
topicandkeyfield values from the input record.