The following example estimates the distinct count for the values in the source field for each sourcetype. The following example generates the estimated distinct count of the devices field and renames the results field, numdevices. The following example removes duplicate results with the same host value in a field, and returns the estimated total count of the remaining results. The string values 1.0 and 1 are considered distinct values and counted separately. This function returns the estimated count of the distinct values in a field. The BY clause is used to organize the distinct count based on the different category of products, the categoryId.These results are piped into the stats command and the dc() function counts the number of distinct users who made purchases.This example first searches for purchase events, action=purchase.| from my_dataset where sourcetype="access_*" action=purchase The search organizes the count by the type of product, such as accessories, t-shirts, and type of games, that customers purchased. The following search counts the number of different customers who purchased something from the Buttercup Games online store yesterday. | stats dc(clientip) BY host, categoryId | bin _time span=5m Extended example The following example counts the distinct client IP addresses for each host and category, and then bins the count for each result into five minute spans.
The results are returned in a field called numdevices. The following example generates the distinct count of the values in the devices field. The following example removes duplicate results with the same host value and returns the total count of the remaining results. To use this function, you can specify distinct_count(), or the abbreviation dc(). This function returns the count of distinct values in a field. | timechart count(eval(action="purchase")) BY productName usenull=f useother=f | from my_dataset where sourcetype="access_*"
The following example uses the timechart command to count the events where the action field contains the value purchase. The results are organized by the host field:įor more information, see Search literals in expressions. The following search uses a search literal to count the occurrences of the value 500 in your events. Search literals are enclosed in backtick characters ( ` ). You can use search literals in functions that accept predicate expressions. | bin size bins=10 | stats count(_raw) BY size The following example separates the search results into 10 bins and counts the values in the _raw field for each bin. | stats count(eval(status="404")) AS count_status BY sourcetype The following example returns the count of events where the status field has the value "404". See Using eval expressions in stats functions. Several of these examples use an eval expression with the count function. To indicate a specific field value to match, use the format =. This function processes field values as strings. To use this function, you can specify count(), or the abbreviation c(). This function returns the number of occurrences in a field. When you use a eval expression with the timechart command, you must also use BY clause. | timechart eval(round(avg(cpu_seconds),2)) BY processor The following example displays a timechart of the average of the cpu_seconds field by processor, rounded to 2 decimal points. | bin _time span=5m | stats avg(thruput) BY host The following example returns the average thruput of each host for each 5 minute time span. The following example returns the average of the values in the size field for each distinct value in the host field. You can use this function with the stats, eventstats, streamstats, and timechart commands. This function returns the average, or mean, of the values in a field. The function descriptions indicate which functions you can use with alphabetic strings.įor an overview, see Overview of SPL2 stats functions. However, there are some functions that you can use with either alphabetic string fields or numeric fields.
Most aggregate functions are used with numeric fields. Common aggregate functions include Average, Count, Minimum, Maximum, Standard Deviation, Sum, and Variance. Aggregate functions summarize the values from each event to create a single, meaningful value.
0 kommentar(er)
