This function returns the count of distinct values in a field. | timechart count(eval(action="purchase")) BY productName usenull=f useother=f | from my_dataset where sourcetype="access_*"
The following example uses the timechart command to count the events where the action field contains the value purchase. The results are organized by the host field:įor more information, see Search literals in expressions. The following search uses a search literal to count the occurrences of the value 500 in your events. Search literals are enclosed in backtick characters ( ` ). You can use search literals in functions that accept predicate expressions. | bin size bins=10 | stats count(_raw) BY size The following example separates the search results into 10 bins and counts the values in the _raw field for each bin. | stats count(eval(status="404")) AS count_status BY sourcetype The following example returns the count of events where the status field has the value "404". See Using eval expressions in stats functions. Several of these examples use an eval expression with the count function. To indicate a specific field value to match, use the format =. This function processes field values as strings. To use this function, you can specify count(), or the abbreviation c(). This function returns the number of occurrences in a field. When you use a eval expression with the timechart command, you must also use BY clause. | timechart eval(round(avg(cpu_seconds),2)) BY processor The following example displays a timechart of the average of the cpu_seconds field by processor, rounded to 2 decimal points. | bin _time span=5m | stats avg(thruput) BY host The following example returns the average thruput of each host for each 5 minute time span. The following example returns the average of the values in the size field for each distinct value in the host field. You can use this function with the stats, eventstats, streamstats, and timechart commands. This function returns the average, or mean, of the values in a field. The function descriptions indicate which functions you can use with alphabetic strings.įor an overview, see Overview of SPL2 stats functions. However, there are some functions that you can use with either alphabetic string fields or numeric fields. Most aggregate functions are used with numeric fields. Common aggregate functions include Average, Count, Minimum, Maximum, Standard Deviation, Sum, and Variance.
Aggregate functions summarize the values from each event to create a single, meaningful value.
0 kommentar(er)
