All non-null fields contain an ordered list of strings. Multivalue Fields: A field that has more than one value. You can also describe this as a zero-length string. Other events or results in the same search might have values for this field.Įmpty Field: A field that contains a single value that is the empty string.Įmpty value: A value that is the empty string, or “”. Null: A field that is not present on a particular result or event. For a given event, a field name might be present or absent, if present it might contain a single or multiple string values.Ĭertain important fields are index, _time, host, source, and _raw. Fields can come from the Index or from a wide range of sources at search time such as tags, regex extractions, event types, etc. The fields contain value strings relevant to specific events in the data and could be used alongside search commands to filter out data. Use the from and streamstats commands to generate a set of 11 results that are simply timestamps and a count of the results, which are used as row numbers.Events and results flowing through the Search pipeline exist as a collection of fields, which fundamentally comes from the data.To illustrate what the list function does, let's start by generating a few simple results. This function processes field values as strings.If more than 100 values are in the field, only the first 100 are returned.You can use this function with the stats, streamstats, and timechart commands. The order of the values reflects the order of the events. The list function returns a multivalue entry from the values in a field. Use the dataset function to create an array from all of the fields and values using the following search: You can create a dataset array from all of the fields and values in the search results. Return all fields and values in a single array One field contains the values from the BY clause field and another field contains the arrays.įor an illustration of this behavior, see the examples below that include a BY clause.Įxamples 1. The BY clause in the stats command returns two fields.The GROUPBY clause in the from command returns only one field that contains the arrays, unless you specifically add the group by field to the SELECT clause.However, the output you see depends on whether you use the GROUPBY clause with the from command or the BY clause with the stats command: The values in the group by field are included in the array. When you specify a BY clause field, the results are organized by that field. When used with the GROUPBY clause, include the group by field in the SELECT clause.ĭifferent output based on the BY clause used You can return all of the fields in the events or only the specified fields that match your search criteria. This function syntax removes the group by field from the arrays that are generated. Use only with a BY clause, such as the GROUPBY clause in the from command or the BY clause with the stats command. The list of fields must be a comma-separated list. The function syntax returns only the specified fields in each event that match your search criteria. The function syntax returns all of the fields in the events that match your search criteria. There are three supported syntaxes for the dataset() function: You can use this function in the SELECT clause in the from command and with the stats command. The dataset function aggregates events into arrays of SPL2 field-value objects. Overview of SPL2 stats and chart functions. For an overview about the stats and charting functions, see
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |