![]() The results look something like this:Įxample 3 This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. ![]() (The table command doesn't let you rename or reformat fields, only specify the fields that you want to show in your tabulated results.)įinally, the results are piped into the table command, which specifies both coordinate fields with lat and lon, the date and time with time, and locSource using the asterisk wildcard. The locationSource field is also renamed to locSource. Then the events are piped into the rename command to change the names of the coordinate fields, from latitude and longitude to lat and lon. This example begins with a search for all recent earthquakes in Northern California ( place="Northern California"). Source=all_month.csv place="Northern California" | rename latitude as lat longitude as lon locationSource as locSource | table time, place, lat, lon, locS* Show the date, time, coordinates, and magnitude of each recent earthquake in Northern California. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), and so forth, for each earthquake recorded. The results look something like this:Įxample 2 This example uses recent earthquake data downloaded from the USGS Earthquakes website. This search reformats your events into a table and displays only the fields that you specified as arguments. Source=all_month.csv place=*California | table time, place, mag, depth Search for recent earthquakes in and around California and display only the time of the quake ( time), where it occurred ( place), and the quake's magnitude ( mag) and depth ( depth). You can download a current CSV file from the USGS Earthquake Feeds and upload the file to your Splunk instance if you want follow along with this example. If truncate_report is set to 0, the max_count parameter is not applied.Įxamples Example 1 This example uses recent earthquake data downloaded from the USGS Earthquakes website. The number of results is controlled by the max_count parameter in the stanza. In the stanza, if the value for the truncate_report parameter is 1, the number of results returned is truncated. The table command truncates the number of results returned based on settings in the nf file. If you're going to rename a field, do it before piping the results to table. The table command doesn't let you rename fields, only specify the fields that you want to show in your tabulated results. If you are looking for a streaming command similar to the table command, use the fields command. The table command is a non-streaming command. To generate visualizations, the search results must contain numeric, datetime, or aggregated data such as count, sum, or average. The table command is a transforming command. For example, if you want to specify all fields that start with "value", you can use a wildcard such as value*. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. The list can be space-delimited or comma-delimited. Description: A list of valid field names. With the exception of a scatter plot to show trends in the relationships between discrete values of your data, you should not use the table command for charts. Use table command when you want to retain data in tabular format. The table command is similar to the fields command in that it lets you specify the fields you want to keep in your results. Columns are displayed in the same order that fields are specified. The table command returns a table that is formed by only the fields that you specify in the arguments. Sort the results by the ipaddress field in ascending order and then sort by the url field in descending order. Use the sort options to specify field types If there are duplicate values in the size field, the results are sorted by the source field in ascending order. The results are sorted first by the size field in descending order. This example sorts the results and returns a maximum of 100 of the sorted results. Specify the number of sorted results to return Because ascending is the default sort order, you don't need to specify it unless you want to be explicit. This example sorts the results first by the lastname field in ascending order and then by the firstname field in descending order. Specify different sort orders for each field To learn more about the sort command, see How the sort command works.ġ. The following are examples for using the SPL2 sort command.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |