In this post, we look at a few of the examples from the previous post:
source = job_listings | where salary > industry_average
uses the predicate to filter the results.
dedup source sortby -delay
shows the first of few unique sources sorted by the delay field in descending order
head (action="startup")
returns the first few events until the one matching startup is found
transaction clientip maxpause=5s
group events that share the same client IP address and have no gaps or pauses longer than five seconds
Results often include duration and event count
The stats calculate statistical values on events grouped by the value of the fields.
stats dc(host) returns distinct count of host values
stats count(eval(method="GET")) as GET by host returns the number of GET requests for each webserver. percentage and range are other functions that can be used with it.
timechart only not applicable to chart or stats
chart max(delay) over host
returns max(delay) for each value of host
timechart span=1m avg(CPU) by host
charts the average value of CPU usage each minute for each host.
Filtering, modifying and adding fields can be done with commands such as eval, rex, and lookup.
The eval command calculates the value of a new field based on an existing field.
The rex command is used to create new fields by using regular expressions
The lookup commands add fields based on a lookup table for value lookups
fields can be specified as a set col1-colN format or with wild card characters
source = job_listings | where salary > industry_average
uses the predicate to filter the results.
dedup source sortby -delay
shows the first of few unique sources sorted by the delay field in descending order
head (action="startup")
returns the first few events until the one matching startup is found
transaction clientip maxpause=5s
group events that share the same client IP address and have no gaps or pauses longer than five seconds
Results often include duration and event count
The stats calculate statistical values on events grouped by the value of the fields.
stats dc(host) returns distinct count of host values
stats count(eval(method="GET")) as GET by host returns the number of GET requests for each webserver. percentage and range are other functions that can be used with it.
timechart only not applicable to chart or stats
chart max(delay) over host
returns max(delay) for each value of host
timechart span=1m avg(CPU) by host
charts the average value of CPU usage each minute for each host.
Filtering, modifying and adding fields can be done with commands such as eval, rex, and lookup.
The eval command calculates the value of a new field based on an existing field.
The rex command is used to create new fields by using regular expressions
The lookup commands add fields based on a lookup table for value lookups
fields can be specified as a set col1-colN format or with wild card characters
No comments:
Post a Comment