Returns the number of events in an index. Returns information about the specified index. Return information about a data model or data model object. They do not modify your data or indexes in any way. These commands return information about the data you have in your indexes. These commands can be used to learn more about your data, add and delete data sources, or manage the data in your summary indexes. Provides statistics, grouped optionally by fields. Performs set operations (union, diff, intersect) on subsearches. Returns the difference between two search results.Ĭombines the results from the main results pipeline with the results from a subsearch. These commands can be used to build correlation searches.Īppends subsearch results to current results.Īppends the fields of the subsearch results to current results, first results to first result, second to second, etc.Īppends the result of the subpipeline applied to the current result set to results.įinds association rules between field values.īuilds a contingency table for two fields.Ĭalculates the correlation between different fields. Some commands fit into more than one category based on the options that you specify. Which, as I said before, is basically asking "show me events in an SAF_pool that was started more than 24 hours ago.The following tables list all the search commands, categorized by their usage. index=vha_pronto sourcetype=pronto_neopil_prd NOT ( ( SAF_Pool="ABC-123" ) OR ( SAF_pool="XYZ-456" ) OR. If you want to know why it turns into that format, look at the documentation for the "format" command.Īfter returning those values, the rest of the search then looks like this. The subsearch brackets will then feed back the answer in a form that looks like this, for all pools started in the last 24 hours. If I am correct, then what that rex is doing is extracting the SAF_pool information from the events selected by that subsearch. My guess is that the rex really reads like this. search index=vha_pronto sourcetype=pronto_neopil_prd "SAF process started" If the prefix is always going to be alpha, then change the \\w+ to +.Ĥ) Now here's a breakdown on your entire search code.įirst, when there are subsearches, you always read the code from the innermost square braces. after that, match one or more word characters, a hyphen, and one or more digits." As such, your SAF_pool numbers are probably in the format ABCD-123 up to and including as weird as AB1_cD-00123. That breaks down as "from the beginning of the line, throw away everything that is not an open brace or carriage return, until you get to an open brace. My guess is that your rex really reads like this. (c) highlight the code and press the "code" button (101 010). There are three easy methods (A) put grave accents (the one on the ~ key) before and after small snippets of text (b) Put at least four spaces on the line before each line of code, and a blank line before them. 1) To answer the exact question you asked: In a rex command, the default field to be analyzed is _raw, so technically, that field=_raw clause simply makes the default explicit, and has no other effect on the function of the rex.Ģ) The overall search says, "look for events in this index and sourcetype that do not have an SAF process started record in the last 24 hours." The function of the rex is to extract those SAF_pool values from all relevant events in the last 24 hours.ģ) Please mark your code when posting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |