![]() | eval ipaddresses=mvappend("localhost", srcip) Nested mvappend functions The results are placed in a new multivalue field called ipaddresses: This example shows how to append the literal value localhost to the values in the srcip field. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.Įxamples Specifying literals and field names The values can be strings, multivalue fields, or single value fields. This function returns a single multivalue result from a list of values. ![]() See Statistical eval functions.įor information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions. You can also use the statistical eval functions, such as max, on multivalue fields. Use the from and streamstats commands to generate a set of 11 results that are simply timestamps and a count of the results, which are used as row numbers.The following list contains the functions that you can use on multivalue fields or to return multivalue fields.To illustrate what the list function does, let's start by generating a few simple results. This function processes field values as strings.If more than 100 values are in the field, only the first 100 are returned.You can use this function with the stats, streamstats, and timechart commands. The order of the values reflects the order of the events. The list function returns a multivalue entry from the values in a field. Use the dataset function to create an array from all of the fields and values using the following search: You can create a dataset array from all of the fields and values in the search results. Return all fields and values in a single array One field contains the values from the BY clause field and another field contains the arrays.įor an illustration of this behavior, see the examples below that include a BY clause.Įxamples 1. The BY clause in the stats command returns two fields.The GROUPBY clause in the from command returns only one field that contains the arrays, unless you specifically add the group by field to the SELECT clause.However, the output you see depends on whether you use the GROUPBY clause with the from command or the BY clause with the stats command: The values in the group by field are included in the array. When you specify a BY clause field, the results are organized by that field. When used with the GROUPBY clause, include the group by field in the SELECT clause.ĭifferent output based on the BY clause used You can return all of the fields in the events or only the specified fields that match your search criteria. This function syntax removes the group by field from the arrays that are generated. Use only with a BY clause, such as the GROUPBY clause in the from command or the BY clause with the stats command. The list of fields must be a comma-separated list. The function syntax returns only the specified fields in each event that match your search criteria. The function syntax returns all of the fields in the events that match your search criteria. ![]() There are three supported syntaxes for the dataset() function: You can use this function in the SELECT clause in the from command and with the stats command. The dataset function aggregates events into arrays of SPL2 field-value objects. Overview of SPL2 stats and chart functions. ![]() For an overview about the stats and charting functions, see
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |