![]() ![]() You can create a dataset array from all of the fields and values in the search results. Return all fields and values in a single array One field contains the values from the BY clause field and another field contains the arrays.įor an illustration of this behavior, see the examples below that include a BY clause.Įxamples 1. The BY clause in the stats command returns two fields.The GROUPBY clause in the from command returns only one field that contains the arrays, unless you specifically add the group by field to the SELECT clause.However, the output you see depends on whether you use the GROUPBY clause with the from command or the BY clause with the stats command: The values in the group by field are included in the array. When you specify a BY clause field, the results are organized by that field. When used with the GROUPBY clause, include the group by field in the SELECT clause.ĭifferent output based on the BY clause used You can return all of the fields in the events or only the specified fields that match your search criteria. This function syntax removes the group by field from the arrays that are generated. Use only with a BY clause, such as the GROUPBY clause in the from command or the BY clause with the stats command. The list of fields must be a comma-separated list. The function syntax returns only the specified fields in each event that match your search criteria. The function syntax returns all of the fields in the events that match your search criteria. There are three supported syntaxes for the dataset() function: You can use this function in the SELECT clause in the from command and with the stats command. The dataset function aggregates events into arrays of SPL2 field-value objects. Overview of SPL2 stats and chart functions. I leave the total books calculation as an exercise for you, but also the hint that stats can perform multiple statistical functions in a single pass on multiple different fields of the input data set.For an overview about the stats and charting functions, see | stats list(BookId) list(bought) list(sold) by AccountName | stats count(T_*) as * by AccountName BookId | eval sourcetype="log1", log = split("Books Bought AccountName=1 You can use the following data emulation to compare with your real data. | stats list(*) as * by AccountName ``` this is solely for display ``` | stats sum(bought) as bought sum(sold) as sold by AccountName book | eval sold = if(sourcetype = "log2", 1, 0) | eval bought = if(sourcetype = "log1", 1, 0) The separator in BookId2 is a comma followed by exactly one white pace. AccountName, BookId1, and BookIds all begins and ends with paired curly brackets. If this assumption is correct, Splunk would have given you a field AccountName in both sourcetypes a BookId field in log1, and a BookIds field in log2. Additionally, I will assume that log1 and log2 are the values of sourcetype. ![]() In order to illustrate thought process, I will assume that the examples are in the precise format of raw events. You need to be careful about data presentation because the actual solution depends on precise format of data. | stats sum(_total) AS Total list(*) AS * BY AccountName | eval _total = 'Books Bought' - 'Books Sold' | stats first(*) AS * BY AccountName BookId | stats count BY sourcetype AccountName BookId | rename COMMENT AS "Everything above this line is setup, AND YOU SHOULD HAVE PROVIDED THIS FOR US!!!" To make it EXACTLY what you asked for switch to | eval _total = 'Books Bought': |makeresults ![]() NOTE that my answer is not quite what you asked for but it is better. YOU should have written the first 19 lines of SPL below when you posted your question. I can whip the answer up in about 5 minutes for just about anything but it takes double or triple that to frame up the fake data. You guys don't make an effort to frame it up with fake data. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |