10/13/2023 0 Comments Splunk join max![]() The result is a table with the fields totalUsers, variableA, and variableB. ![]() The eval command is used to define a "variableB".The where command is used to constrain the subsearch within time range of those fields. The addinfo command adds the info_min_time and info_max_time fields to the search results. Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server.First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".rver | stats dc(userID) as totalUsers | appendcols | eval variableB = exact(variableA/totalUsers) This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields. This is a valid search string because appendcols comes after the transforming command table and adds columns to an existing table of results. Index=_internal | table host | appendcols Search for "404" events and append the fields in each event to the previous search results. Note that the subsearch argument to the appendcols command doesn't have to contain a transforming command. I had a vaguely similar problem a few weeks ago. In your query, just write join max0 SessionId in place of join SessionId. The appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. The join command contains an option called maxint that is used to specify how many subsearch results can join with main search results. The appendcols command must be placed in a search string after a transforming command such as stats, chart, or timechart. Default: 50000 timeout Syntax: timeout= Description: The maximum time, in units of seconds, to wait for subsearch to fully finish. Default: 60 maxout Syntax: maxout= Description: The maximum number of result rows to output from the subsearch. Subsearch options maxtime Syntax: maxtime= Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing. Default: override=false subsearch-options Syntax: maxtime= | maxout= | timeout= Description: These options control how the subsearch is executed. If override=true, the subsearch result value is used. Optional arguments override Syntax: override= Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. See how subsearches work in the Search Manual. Required arguments subsearch Description: A secondary search added to the main search. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on. All fields of the subsearch are combined into the current results, with the exception of internal fields. Appends the fields of the subsearch results with the input search results.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |