The addinfo command adds the info_min_time and info_max_time fields to the search results. Then, this search uses appendcols to search the server and count how many times a certain field occurs on that specific server.First, this search uses stats to count the number of individual users on a specific server and names that variable "totalUsers".| eval variableB = exact(variableA/totalUsers) | where _time >= info_min_time AND _time ) as variableA ] This search uses appendcols to count the number of times a certain field occurs on a specific server and uses that value to calculate other fields. This is a valid search string because appendcols comes after the transforming command table and adds columns to an existing table of results. Search for "404" events and append the fields in each event to the previous search results. Note that the subsearch argument to the appendcols command doesn't have to contain a transforming command. The appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. The appendcols command must be placed in a search string after a transforming command such as stats, chart, or timechart. Default: 50000 timeout Syntax: timeout= Description: The maximum time, in units of seconds, to wait for subsearch to fully finish. Default: 60 maxout Syntax: maxout= Description: The maximum number of result rows to output from the subsearch. Subsearch options maxtime Syntax: maxtime= Description: The maximum time, in units of seconds, to spend on the subsearch before automatically finalizing. Default: override=false subsearch-options Syntax: maxtime= | maxout= | timeout= Description: These options control how the subsearch is executed. If override=true, the subsearch result value is used. Optional arguments override Syntax: override= Description: If the override argument is false, and if a field is present in both a subsearch result and the main result, the main result is used. See how subsearches work in the Search Manual. Required arguments subsearch Description: A secondary search added to the main search. For example, the first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on. All fields of the subsearch are combined into the current results, with the exception of internal fields. Replace values of the internal field _time.Appends the fields of the subsearch results with the input search results. "" WITH " " IN errmsg 7: Replace values in an internal field "Error exporting to XYZ :" | rex "Error exporting to XYZ:(?.*)" | replace This example will not work unless you have values that are actually the empty string, which is not the same as not having a value. Search for an error message and replace empty strings with a whitespace. | replace 0 WITH Critical, 1 WITH Error IN msg_level 6. Separate the value replacements with comma. Replace the values in a field with more descriptive names. | replace "* localhost" WITH "localhost *" IN host 5. In the host field, change the order of string values that contain the word localhost so that the string "localhost" precedes the other strings. | replace aug WITH August IN start_month end_month 4. You can separate the names in the field list with spaces or commas. Replaces the values in the start_month and end_month fields. | replace 127.0.0.1 WITH localhost IN host 3. Replace an IP address with a more descriptive name in the host field. Replace a value in all fieldsĬhange any host value that ends with "localhost" to simply "localhost" in all fields. Wildcards ( * ) can be used to specify many values to replace, or replace values with.Įxamples 1. When using wildcard replacements, the result must have the same number of wildcards, or none at all. To assure precedence relationships, you are advised to split the replace into two separate invocations. For a wildcard replacement, fuller matches take precedence over lesser matches. Non-wildcard replacement values specified later take precedence over those replacements specified earlier. The replace command is a distributable streaming command. To replace values on _internal fields, you must specify the field name with the IN clause. Description: Specify a comma or space delimited list of one or more field names for the field value replacements. You can use wildcard characters to match one or multiple terms. Required arguments wc-string Syntax: Description: Specify one or more field values and their replacements. If you do not specify a field, the value is replaced in all non-generated fields. Does not replace values in fields generated by stats or eval functions. Replaces field values in your search results with the values that you specify.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |