![]() The values for addtocart and purchases show the number of events for those specific actions. The value for count AS views is the total number of the events that match the criteria sourcetype=access_* status=200, or the total count for all actions. This search produces a single row of data. Sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases Search all successful events and count the number of views, the number of times items were added to the cart, and the number of purchases. Download the data set from Add data tutorial and follow the instructions to get the tutorial data into your Splunk deployment.Transpose a set of data into a series to produce a chart This example uses the sample dataset from the Search Tutorial. Index=_internal | stats count by sourcetype | sort -count | transpose 3ģ. Use the transpose command to convert the rows to columns and show the source types with the 3 highest counts. Index=_internal | stats count by sourcetype | sort -count Count the number of events by sourcetype and transpose the results to display the 3 highest countsĬount the number of events by sourcetype and display the sourcetypes with the highest count first. When you add the transpose command to the end of the search, the results look something like this:Ģ. The search produces the following search results: Sourcetype=access_* status=200 | chart count BY host Use the default settings for the transpose command to transpose the results of a chart command. By default the field names are: column, row 1, row 2, and so forth.Įxamples 1. ![]() ![]() When you use the transpose command the field names used in the output are based on the arguments that you use with the command. To transpose all rows, specify | transpose 0, which indicates that the number of rows to transpose is unlimited. Default: true int Syntax: Description: Limit the number of rows to transpose. include_empty Syntax: include_empty= Description: Specify whether to include (true) or not include (false) fields that contain empty values. Default: column header_field Syntax: header_field= Description: The field in your results to use for the names of the columns (other than the first column) in the transposed data. This column contains the names of the fields. Optional arguments column_name Syntax: column_name= Description: The name of the first column that you want to use for the transposed rows. Returns the specified number of rows (search results) as columns (list of field values), such that each search row becomes a column. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |