![]() ![]() Use transaction in the following situations. To view the raw event data, use the transaction command instead.To use stats, the field must have a unique identifier.For example to determine the average duration of events by host name. ![]() To group events by a field and perform a statistical function on the events. In the most simple scenarios, you might need to search only for sources using the OR operator and then use a stats or transaction command to perform the grouping operation on the events. For example, a file from an external system such as a CSV file. Use when one of the result sets or source files remains static or rarely changes. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on. You cannot use a transaction command after you use an append command.Īppends the fields of the subsearch results with the input search result fields. If you use append to combine the events, use a stats command to group the events in a meaningful way.The append command does not produce correct results if used in a real-time search. The events from both result sets are retained. To append the results of a subsearch to the results of your current search. These commands provide event grouping and correlations using time and geographic location, transactions, subsearches, field lookups, and joins. If you are familiar with SQL but new to SPL, see Splunk SPL for SQL users.įor flexibility and performance, consider using one of the following commands if you do not require join semantics. This maximum default is set to limit the impact of the join command on performance and resource consumption. | join left=L right=R where L.pid = R.pid Ī maximum of 50,000 rows in the right-side dataset can be joined with the left-side dataset. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |