The order of the values reflects the order of the events. The list function returns a multivalue entry from the values in a field. Use the dataset function to create an array from all of the fields and values using the following search: You can create a dataset array from all of the fields and values in the search results.
Return all fields and values in a single array One field contains the values from the BY clause field and another field contains the arrays.įor an illustration of this behavior, see the examples below that include a BY clause.Įxamples 1. The BY clause in the stats command returns two fields.The GROUPBY clause in the from command returns only one field that contains the arrays, unless you specifically add the group by field to the SELECT clause.However, the output you see depends on whether you use the GROUPBY clause with the from command or the BY clause with the stats command: The values in the group by field are included in the array. When you specify a BY clause field, the results are organized by that field. When used with the GROUPBY clause, include the group by field in the SELECT clause.ĭifferent output based on the BY clause used You can return all of the fields in the events or only the specified fields that match your search criteria. This function syntax removes the group by field from the arrays that are generated. Use only with a BY clause, such as the GROUPBY clause in the from command or the BY clause with the stats command. The list of fields must be a comma-separated list. The function syntax returns only the specified fields in each event that match your search criteria. The function syntax returns all of the fields in the events that match your search criteria. There are three supported syntaxes for the dataset() function: You can use this function in the SELECT clause in the from command and with the stats command. The dataset function aggregates events into arrays of SPL2 field-value objects. Overview of SPL2 stats and chart functions. For an overview about the stats and charting functions, see
0 kommentar(er)
