![]() | bin _time span=5min | stats count (error) BY _time The field you use in the must be either the _time field, or another field in UNIX time. | stats sum(fieldA) BY fieldC, the results are:ĭifferences between SPL and SPL2 Command options must be specified before command arguments If you specify the fieldC in the, such as. For example, suppose the incoming result set is this: When grouping by a multivalue field, the stats command produces one row for each value in the field. To group search results by a timespan, use the span statistical function. Grouping results Group results by a timespan The sum(fieldY) aggregation adds up all of the values in both single value and multivalue fields.However, if a field is a multivalue field, the aggregation counts the number of values in the fields. The count(fieldY) aggregation counts the rows for the fields in the fieldY column that contain a single value.The count field contains a count of the rows that contain A or B.The results are grouped first by the fieldX.| stats count, count(fieldY), sum(fieldY) BY fieldX, these results are returned: When you perform an aggregation over a multivalue field, each of the values in the field is included in the aggregation. | SELECT count(), host FROM GROUP BY hostįor more information, see from command overview. | FROM GROUP BY host SELECT count(), host | stats count() BY host, the following searches return the same results: Most of the things you can do with the stats command are also possible using the from command.įor example, if your search is. ![]() Is this possible to do, and is there a right way to do this, either continuing with the method above or using a subsearch? Alternately is it possible to remove duplicates in the original field extraction so this isn't necessary? Although that option may not be possible as the field extraction isn't handled by ourselves and I can't say too much about it.Stats command usage Using the from command instead It's the results from this table I want to use in the next search and count the total events for each item in that table, but have so far failed to be able to do this. In short I've got a search that counts, then does a replace/where to weed out values below a certain threshold/don't match a certain criteria then putting what remains in a table. ![]() | where count > 200 AND ErrorField!="ERROR-X-" ![]() | replace ERROR-X-* with ERROR-X- in ErrorField My two possibles are creating a table of field instances, and then using that to launch a second search, or performing a sub search to capture the unique fields that are then used to count the events by field. I've tried to come up with a way to filter out the duplicates in the search but have so far come up short. "ErrorField" = ERROR-1234, ERROR-1234, ERROR-5869).ĭoing 'stats count by ErrorField' seems to return all items, even the ones that are repeated as we'd get ERROR-1234 = 700 on the stats count, but a simple search where ErrorField=ERROR-1234 returns say 300 events only. "ERROR-" -> ERROR-1234, ERROR-5869 etc) meaning as the error code is repeated in the event we get multiple instances of the same item in the field (e.g. The way it's been setup is that we extract all instances where it matches a certain regex pattern (e.g. We presently have a setup where error codes are extracted and put into their own field.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |