"info_min_time" - the earliest time bound for the search \i\ \i\Ĭurrently the following fields are added: \i\ The addinfo command is primarily an internal component of summary indexing. Syntax = addcoltotals (labelfield=)? (label=)?Ĭomment = Add information about the search to each event.ĭescription = Adds global information about the search to each event. Shortdesc = Appends a new result to the end of the search result set. | addcoltotals labelfield=change_name label=ALLĮxample2 = sourcetype=access_* | table userId bytes avgTime duration | addcoltotals bytes durationĮxample3 = index=_internal source=*metrics.log group=pipeline |stats avg(cpu_seconds) by processor |addcoltotals labelfield=processor Is specified, a column is added to the statistical results table with the nameĮxample1 =. Results are displayed on the Statistics tab. The result contains the sum of each numeric field or you can specify which fields Shortdesc = Keeps a running total of a specified numeric field.Ĭomment1 = Compute the sums of all the fields, and put the sums in a summary event called "change_name".Ĭomment2 = Add a column total for two specific fields in a table.Ĭomment3 = Augment a chart with a total of the values present.ĭescription = Appends a new result to the end of the search result set. Related = autoregress, delta, streamstats, trendline Tags = condense summarize summary outline pare prune shorten skim snip sum trimĬomment1 = Save the running total of "count" in a field called "total_count".ĭescription = For each event where is a number, keep a running total of the sum of this number and write it out to either the same field, or a new field if specified.Įxample1 =. Syntax = abstract (maxterms=)? (maxlines=)? Shortdesc = Shortens the text of results to a brief summary representation. If the text of a result has fewer lines or an equal number of lines to maxlines, no change will occur.\i\ When there are gaps between the selected lines, lines are prefixed with ".". If a line has a search term, its neighboring lines also partially match, and may be returned to provide context.
If the event is larger than the selected maxlines, those with more terms and more terms on adjacent lines are preferred over those with fewer terms. The original text is replaced by the summary, which is produced by a scoring mechanism. # the output from running "/opt/splunk/bin/splunk btool searchbnf list" on a fairly default Splunk 7.2 instanceĬommentcheat = Show a summary of up to 5 lines for each search result.ĭescription = Produce an abstract - a summary or brief representation - of the text of search results.
0 kommentar(er)
