prev

Adds the values of specified fields from the previous record in the input data stream to the current record as fields with the prev_ prefix.

Command properties

Syntax

Target

FIELD, ...

Names of the fields whose values from the previous record you want to reference. Separate multiple fields with commas (,). An output field with the prev_ prefix is created for each field.

Output fields

Error codes

Parse errors

N/A

Runtime errors

N/A

Description

The prev command processes input records in order and, for each specified field, adds the value from the immediately preceding record as a new field with the prev_ prefix. For example, specifying prev count adds a prev_count field to the current record containing the count value from the preceding record. For the first record, there is no preceding record, so the prev_ field value is null.

Values are deep-copied, so mutable types such as Map, List, and Date can be safely referenced.

Examples

1. Referencing the previous value of a single field

   json "[{'seq': 1, 'value': 10}, {'seq': 2, 'value': 20}, {'seq': 3, 'value': 30}]"
   | prev value
   

   A prev_value field is added to each record. The prev_value of the first record is null, the second is 10, and the third is 20.

2. Calculating the difference from the previous value

   json "[{'seq': 1, 'value': 100}, {'seq': 2, 'value': 250}, {'seq': 3, 'value': 400}]"
   | prev value
   | eval diff = if(isnull(prev_value), 0, value - prev_value)
   

   Uses prev to get the previous value, then uses eval to calculate the difference between the current and previous values.

3. Referencing the previous values of multiple fields

   json "[{'ts': '2025-01-01', 'src': '192.0.2.1', 'bytes': 1024}, {'ts': '2025-01-02', 'src': '192.0.2.2', 'bytes': 2048}]"
   | prev src, bytes
   

   Adds prev_src and prev_bytes fields to each record.