![]() When using the from command, if the GROUP BY clause is specified, the SELECT clause must also be specified. You can arrange search results in groups using a time span. Specify a time span in the GROUP BY clause In this example, the SELECT clause contains the aggregation avg(cpu_usage): The SELECT clause must contain either an aggregation or the fields in the GROUP BY clause. In this example a single field, host, is specified. You can specify one or more fields to group by. Specify a single field in the GROUP BY clause The following search looks for the terms invalid AND user AND sshd and returns the events that contain all three terms:įor more information, see Search literals in expressions in the SPL2 Search Manual.ħ. To specify a search literal, you enclose the list of terms in backtick characters ( ` ). An AND operator is implied between the terms specified in the search literal. You can search for multiple terms in your events by using a search literal in the WHERE clause. For more information about the like function, see Comparison and Conditional functions.įor more information about logical operators, see Predicate expressions in the SPL2 Search Manual. The WHERE clause does not support the asterisk ( * ) wildcard character. The WHERE clause uses the like function to perform a search with wildcard. WHERE like(source, "%license%") AND type="usage" You need to separate multiple expressions using logical operators, such as AND and OR. Use the WHERE clause to filter the data by specifying one or more expressions. Specify multiple expressions in the WHERE clause The like function supports several syntaxes, see Comparison and Conditional functions.ĥ. However you can use the like function to perform a wildcard search. The WHERE clause does not support the wildcard character ( * ). You can use a wildcard to search for only internal fields, which begin with an underscore ( _ ) character. You must enclose the wildcard syntax in single quotation marks. You can use a wildcard character ( * ) in the SELECT clause to search for similar field names. The following search looks for data in the EMEA and APAC indexes: See Comparison and Conditional functions. To use a wildcard in the WHERE clause, you cannot use the asterisk ( * ) wildcard character. SELECT earliest_time(_value), metric_name The following search looks for data in the _metrics index: For example, the previous search can also be specified this way:įROM my_index "syslog"=sourcetype. The following search shows that string values in field-value pairs must be enclosed in double quotation marks.īecause string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs. Both of these clauses are valid syntax for the from command. ![]() ![]() Some of these examples start with the SELECT clause and others start with the FROM clause. ![]() These examples use uppercase for readability. You can specify the clauses in the from command in uppercase or lowercase. ![]() To learn more about the from command, see How the from command works. The error parameter value is important to making the count_distinct function return results quickly and in a scalable way.Īlso, note that when you want to count the distinct occurrences of more than one field, you must create an alias using the as operator to rename the _count_distinct fields.The following are examples for using the SPL2 from command. So for example, if the true count of distinct items is 1,000, the result returned by the approximation algorithm is between 9 about 95% of the time. 99% of the time, results are within +/- 6%.95% of the time, results are within +/- 4%.65% of the time, results are within +/- 2%.The approximation algorithm uses a relative error parameter of 2%, for example: If the number of distinct items returned is larger than 100, count_distinct instead uses an approximate algorithm, and displays a message that explains: count_distinct saw more than 100 values, results may be approximate If the number of distinct items returned is less than 100, the count_distinct function provides an exact number. To order your results, use the sort operator. By default, ordering is not defined inside of groups created using a group-by expression. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |