Commands Flashcards
| fields
fields
Include or exclude fields in search
Ex: | fields [field]
You can add + or - to include or exclude
Ex: | fields -status
| rename
rename
Rename names in search
Ex: | rename [field] as “[New name]”
You can do multiple
Ex: | rename status as “New Status”, count as “New Count”
| eval
eval
Calculate field values
Ex: | eval [new name] = [the field]/[number]
| stats
stats
Ex: | stats sum(data)
erex | rex
field extraction from data
rex Ex: [a-zA-Z:]+’(?PCharacter>[a-zA-Z0-9.-]+)”
table
Displays a table of selected data
Ex: | table JSESSIONID price product_name
|dedup
Removes duplicates
EX: | dedup JSESSIONID
addtotals
Compute the sum of the rows or coloumns
Rows EX: | addtotals
Col EX: | addtotals col=true label=”Total Sales” labelfield=”product_name” fieldname=”Total By Product”
fieldformat
Changes the look but not the underlying data
Ex: |fieldformat Total = “$” + tostring(Total, “commas”)
Transforming Commands
top, rare, stats, chart, timechart, trendline
top - returns top 10
| rare - shows the least common
timechart
Line graph output
trendline
trendline
Computes moving averages of field values, needs a trend type
|trendline wma2(sales) as trend
wma - type
2 - time period (2 days)
trendline types
simple, exponential and weighted
sma, ema, wma
iplocation
add location info from 3rd party
geostats
Use the data from | iplocation
Ex: | geostats latfield=[] longfield=[] count
