8/4/2023 0 Comments Splunk transaction examplesReturns the difference between the max and min values of the field X Returns the X-th percentile value of the field Y Returns the most frequent value of field X If the values of X are non-numeric, the min is found from alphabetical ordering If the values of X are non-numeric, the max is found from alphabetical ordering Returns the count of distinct values in X Returns the number of occurrences of the field X Returns a string representation of the field type If X is a number, the second argument Y is optional and can either be “hex”, “commas”, or “duration” If X is a Boolean value, reformats to “True” or “False”. If the value of X is a number, it reformats it as a string. Returns the wall-clock time with microsecond resolutionĬonverts input string X to a number, where Y (optional, defaults to 10) defines the base of the number to convert to Returns X as a multi-valued field, split by delimiter Y Returns X rounded to the amount of decimal places specified by Y. Returns a string formed by substituting string Z for every occurrence of regex string Y in string X Returns a random number from 0 to 2147483647 Returns the current time, represented in Unix time Returns the MD5 hash of a string value X. Returns if X matches the regex pattern Y. Takes the log of the X using the base of Y If X evaluates to FALSE, the result evaluates to the third argument Z If X evaluates to TRUE, the result is the second argument Y. When evaluated to TRUE, the arguments return the corresponding Y argument.Įvaluates an expression x using double precision floating point arithmetic. Specifies fields to keep in the result set, and retains data in a tabular formatĬonsumes pairs of arguments X and Y, where X arguments are Boolean expressions. Can be useful for groupingįilters search results using eval expressions. See examples belowĭisplays the most/least common values in a field. Provides statistics, can be grouped by fields. Sorts the results by the specified field. Specifies a regular expression named groups to extract fields from resultsįilters results to those that match the search expression Renames a field, use wildcards for multiple fields Returns results in a tabular format, such as a time chart of bar chart Removes fields from search results, can specify what fields we wantĪdds field values from an external source such as a lookup table Removes duplicate results that match a certain criteriaĬalculates an expression, see examples below When the list contains more than one entry, it is a multivalue field The common case is that this is a list of one value. All non-null fields contain an ordered list of strings. Multivalue Fields: A field that has more than one value. You can also describe this as a zero-length string. Other events or results in the same search might have values for this field.Įmpty Field: A field that contains a single value that is the empty string.Įmpty value: A value that is the empty string, or “”. Null: A field that is not present on a particular result or event. For a given event, a field name might be present or absent, if present it might contain a single or multiple string values.Ĭertain important fields are index, _time, host, source, and _raw. Fields can come from the Index or from a wide range of sources at search time such as tags, regex extractions, event types, etc. The fields contain value strings relevant to specific events in the data and could be used alongside search commands to filter out data. Events and results flowing through the Search pipeline exist as a collection of fields, which fundamentally comes from the data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |