![]() This search looks for events where the field foo is equal to the field bar. You cannot do that with the search command. One advantage of the where command is that you can use it to compare two different fields. See the like (, ) function in the list of Comparison and Conditional eval functions. In this example, the where command returns search results for values in the ipaddress field that start with 198. Use the underscore ( _ ) character as a wildcard to match a single character.Use the percent ( % ) symbol as a wildcard for matching multiple characters.With the where command, you must use the like function. You can use wildcards to match characters in string values. Typically you use the where command when you want to filter the result of an aggregation or a lookup. You can save this search as a dashboard panel or a report.The where command is identical to the WHERE clause in the from command. Switch to the Visualization tab and change the chart type to Pie Chart. You can also show the results in a chart. The results appear on the Statistics tab and show the counts for how many events have Purchase Related activity and how many have Other types of activity. The stats command counts the Purchase Related and Other values in the activity field.If the action field in an event contains any other value, the value Other is placed in the activity field.If the action field in an event contains the value addtocart or purchase, the value Purchase Related is placed in the activity field. ![]() The eval command creates a new field called activity.| eval activity=if(IN(action, "addtocart","purchase"),"Purchase Related","Other") Then the stats command performs a calculation. In the following example, the IN function is used with the IF function to evaluate the action field. We'll use the access.log file that is included with the Search Tutorial data. Let's go through an example where you can use the IN function as the first parameter for the IF function. ![]() The eval command cannot accept Boolean values, you must use the IN function inside another function that can process the Boolean values returned by the IN function. Using the IN function with the eval command is different than using IN with the where command. Because the codes are string values (not numeric values), you must enclose each value in quotation marks. The values in the status field are HTTP status codes. The following example uses the where command to return IN=TRUE if one of the values in the status field matches one of the values in the list. ![]() Let's start with the where command because it is fairly straight-forward. The IN function is shown in this blog in uppercase in the syntax and examples for clarity. Note: The IN function, unlike the IN operator, can be specified in upper or lowercase. | eval new_field=if(IN(field,"value1","value2".
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |