Each time you invoke the timechart command, you can use one or more functions. Description: Statistical functions that you can use with the timechart command. stats-function Syntax: The syntax depends on the function that you use. This is equivalent to setting format to $AGG$$VAL$. sep Syntax: sep= Description: Used to construct output field names when multiple data series are used in conjunctions with a split-by field. Only the first and last bin can be partial. Partial Syntax: partial= Description: Controls if partial time bins should be retained or not. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. Ties in scoring are broken lexicographically, based on the value of the split-by field.For example, for timechart avg(foo) max(bar) BY, the top scoring values for are the most common values of. If multiple aggregations are specified, the score is based on the frequency of each value of.For example, for timechart avg(foo) BY the avg(foo) values are added up for each value of to determine the scores. If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value.All other values are grouped into the 'OTHER' field, as long as useother is not set to false. Setting limit=N keeps the N highest scoring distinct values of the split-by field. If you set limit=0, no series filtering occurs and all distinct values are used. With the limit and agg options, you can specify series filtering. limit Syntax: limit= Description: Specifies a limit for the number of distinct values of the split-by field to return. You can specify a parameterized expression with the stats aggregator and function ($AGG$) and the value of the split-by field ($VAL$). The format option takes precedence over the sep option. Default: true format Syntax: format= Description: Used to construct output field names when multiple data series are used in conjunction with a split-by field. Setting fixedrange=false allows the timechart command to constrict or expand to the time range covered by all events in the dataset. Default: true fixedrange Syntax: fixedrange= Description: Specifies whether or not to enforce the earliest and latest times of the search. If set to true, any time gaps are filled in. Default: bins=100 cont Syntax: cont= Description: Specifies whether the timechart is continuous or not. For an explanation of these options, see the Bins options section in this topic. The set the maximum number of bins, not the target number of bins. bin-options Syntax: bins | minspan | span | | aligntime Description: Options that you can use to specify discreet bins, or groups, to organize the information. If you set limit=0, no series filtering occurs. You can use wild card characters in field names. Use the AS clause to place the result into a new field with a name that you specify. The function can be applied to an eval expression, or to a field or set of fields. See SPL2 Stats and Charting Functions Quick Reference. Optional arguments agg Syntax: agg=( ( ) ) Description: A statistical aggregation function. You can specify to apply specific discretizations. If is numerical, default discretization is applied. Description: A field to group the results by. When concatenating values with a period '+' the search treats both values as strings, regardless of their actual data type. Additionally, the search can concatenate the two values if they are both strings. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. For these evaluations to work, your field values need to be valid for the type of operation. eval-expression Syntax: | | | | Description: A combination of literals, fields, operators, and functions that represent the value of your field. A field must be specified, except when using the count() function, which applies to all events instead of a specific field. No wildcards are allowed in the field name. For, see stats-function in the Optional arguments section. single-aggregate Syntax: count "(" ")" | "("")" Description: An aggregation applied to a single field, including an evaluated field. When using the timechart command, you must specify either a or an with a BY clause. Timechart ( ( ) | ( ) BY ) ) Required arguments
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |