Either search for uncommon or outlying events and fields or cluster similar events together.Īnalyze numerical fields for their ability to predict another discrete field.Ĭomputes an "unexpectedness" score for an event.įinds and summarizes irregular, or uncommon, search results. These commands are used to find anomalies in your data. Replaces values of specified fields with a specified new value. Use wildcards to specify multiple fields. Replaces null values with a specified value.Ĭhange a specified field into a multivalue field during a search.Ĭhanges a specified multivalue field into a single-value field at search time.Ĭonverts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results.
Replaces NULL values with the last non-NULL value. Use these commands to modify fields or their values.Ĭonverts field values into numerical values. Provides a straightforward means for extracting fields from structured data formats, XML and JSON. Specify a Perl regular expression named groups to extract fields while you search. These commands provide different ways to extract new fields from search results.Īllows you to specify example or counter example values to automatically extract fields that have similar values.Įxtracts field-value pairs from search results.Įxtracts values from search results, using a form template. Sets RANGE field to the name of the ranges that match.Ĭoncatenates string values and saves the result to a specified field. See also, evaluation functions.Īdds location information, such as city, country, latitude, longitude, and so on, based on IP addresses.įor configured lookup tables, explicitly invokes the field value lookup and adds fields from the lookup table to the events.Įxtracts field-values from table-formatted events. Keeps a running total of the specified numeric field.Īdd fields that contain common information about the current search.Ĭomputes the sum of all numeric fields for each result.Ĭomputes the difference in field value between nearby results.Ĭalculates an expression and puts the value into a field. The most useful command for manipulating fields is eval and its statistical and charting functions. These are commands you can use to add, extract, and modify fields or field values.
Computes the necessary information for you to later run a top search on the summary index. Computes the necessary information for you to later run a timechart search on the summary index. Computes the necessary information for you to later run a stats search on the summary index. Computes the necessary information for you to later run a rare search on the summary index.
Computes the necessary information for you to later run a chart search on the summary index. Puts search results into a summary index.įinds events in a summary index that overlap in time or have missed events. These commands are used to create and manage your summary indexes. These are some commands you can use to add data sources to or delete specific data from your indexes.ĭelete specific events or search results. Returns typeahead information on a specified prefix. Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. Returns the number of events in an index. Returns information about the specified index. Return information about a data model or data model object. Returns audit trail information that is stored in the local audit index. They do not modify your data or indexes in any way. These commands return information about the data you have in your indexes. These commands can be used to learn more about your data, add and delete data sources, or manage the data in your summary indexes. Provides statistics, grouped optionally by fields. Performs set operations (union, diff, intersect) on subsearches. Returns the difference between two search results.Ĭombines the results from the main results pipeline with the results from a subsearch.
These commands can be used to build correlation searches.Īppends subsearch results to current results.Īppends the fields of the subsearch results to current results, first results to first result, second to second, etc.Īppends the result of the subpipeline applied to the current result set to results.įinds association rules between field values.īuilds a contingency table for two fields.Ĭalculates the correlation between different fields. Some commands fit into more than one category based on the options that you specify. The following tables list all the search commands, categorized by their usage.
0 kommentar(er)
