eg | untable foo bar baz, or labeling the fields, | untable groupByField splitByField computedStatistic.įollowing from this, | xyseries foo bar baz | untable foo bar baz negates itself and so is a fun way to do nothing at all.Īs you might guess from the runaway bullet points here, this is a deep topic. Going the other way, you can transform your results from a "chart style" result set to the "stats style" with the untable command. eg xyseries foo bar baz, or if you will xyseries groupByField splitByField computedStatistic. You can always transform your results from a "stats style" result set to the "chart style" with the xyseries command. The chart/timechart commands will likewise throw away events where the single "group by" field doesn't exist, but it will actually roll up all the null values of the "split by" field into a big column called "NULL" which you can fiddle with and/or suppress with various arguments. If you want it to keep them, you have to use an explicit fillnull command. The stats command will throw away any events where one or more of the "group" by fields does not exist. This has some implications that you get used to, like "filling in last known values" in a stats-style set is generally done with the streamstats command, whereas doing the thing with chart-style results is more often done with the filldown command. ie |inputlookup foo might well emerge blinking into the light of your browser and be a "chart style" set. I say "style" because I mean it looks like the output of the given command, even if it didn't necessarily come from that command. This creates a concept of a "stats style" result set, versus a "chart style" result set. This is why our first example was able to incorporate the "host" field easily whereas the second example did not. Note that you can specify any number of "group by" fields to the stats command, whereas the chart/timechart command can only have one "group by" (with timechart it is always _time) and one "split by". (btw the timechart command you can sort of think of chart that is locked into using _time as the "group-by" field, although the reality is a little more complex) On the other hand, the chart command, will create rows that are each of the values of the single "group by" field, and COLUMNS that are each of the values of the "split by" field. Then for each of those rows it will also compute whatever statistic(s) or function(s) you tell it (here it's just sum(x)). In more formal terms, stats sum(x) by user, host, status will create one row for each combination of user, host and status that are present in the data. Note that the first example incorporates data about the "host" field, whereas the second one does not. * | stats sum(x) by user, host, status will output rows that look like: user host status sum(x)Ģ) But * | chart sum(x) over user by status will output quite different rows that look like.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |