Understand the Search Commands
The Search Language for analyzing the logs allows you to specify what action to perform on the search results.
Commands can be either search commands or statistical commands.
Search Commands
Search commands are those commands which further filter the available log entries.
The following table lists the search commands and provides a brief description of each.
| Command | Description |
|---|---|
addfields |
Use this command to generate aggregated data within groups identified by the link command.
See Addfields Command. |
addinsights |
Use this command to view additional insight
information in each log record.
See Addinsights Command. |
bottom |
Use this command to display a specific number of results with the lowest aggregated value as determined by the specified field.
See Bottom Command. |
bucket |
Use this command to group the log records into buckets based on the range of
values of a field.
See Bucket Command. |
classify |
Use this command to cluster properties of groups identified by the link command.
See Classify Command. |
cluster |
Use this command to group similar log records.
See Cluster Command. |
clustercompare |
Use this command to compare one cluster collection with another, and for viewing the clusters that exist exclusively in the current range versus clusters that exist exclusively in the baseline range. |
clusterdetails |
Use this command to return similar log records. |
clustersplit |
Use this command to view the log data within a cluster for specific classify
results in the tabular format.
See Clustersplit Command. |
compare |
Use this command to compare properties generated by
the link command over the comparison intervals
specified.
See Compare Command. |
createview |
Use this command to define a subquery to create a
subset of groups identified by the link command.
See Createview Command. |
distinct |
Use this command to remove duplicates from the returned results.
See Distinct Command. |
eval |
Use this command to calculate the value of an expression and display the value in a new field.
See Eval Command. |
eventstats |
Use this command to obtain overall summary
statistics, optionally grouped by fields, on properties of groups
identified by the link command. Its output will
include one field for each aggregation.
See Eventstats Command. |
fields |
Use this command to specify which fields to add or remove from the results.
See Fields Command. |
fieldsummary |
Use this command to return data for the specified fields.
See Fieldsummary Command. |
head |
Use the head command to display the first n number of results.
See Head Command. |
highlightgroups |
Use this command to match strings or search criteria
on the properties of the groups identified by the
link command, and causes them to be highlighted
in the link visualization.
|
highlightrows |
Use this command to match a string or a list of strings, and highlight the entire row in the Log UI. |
highlight |
Use this command to match a string or a list of strings, and highlight them in the Log UI.
See Highlight Command. |
link |
Use this command to group log records into high level business transactions.
See Link Command. |
lookup |
Use this command to invoke field value lookups.
See Lookup Command. |
map |
Use this command to join a view with the groups
identified by the link command to create new
properties.
See Map Command. |
nlp |
Use this command to apply natural language
processing algorithms to a text field.
See NLP Command. |
regex |
Use this command to filter data according to a specified regular expression.
See Regex Command. |
rename |
Use this command to change the name of a field.
See Rename Command. |
search |
Use this command to retrieve a specific logical expression from the available log data.
See Search Command. |
searchLookup |
Use this command to retrieve contents from a lookup table.
See SearchLookup Command. |
sort |
Use this command to sort logs according to specified fields.
See Sort Command. |
tail |
Use this command to display the last n number of results.
See Tail Command. |
timecluster |
Use this command to group the time-series charts
together based on how similar they are to one another.
See Timecluster Command. |
top |
Use this command to display a specified number of results with the highest aggregated value as determined by the specified field.
See Top Command. |
where |
Use this command to calculate the value of an expression to be true or false.
See Where Command. |
Statistical Commands
Statistical commands perform statistical operations on the search results.
The following table lists the supported statistical commands, and provides a short description for each.
| Commands | Description |
|---|---|
distinct |
Use this command to remove duplicate entries from the search results.
See Distinct Command. |
stats |
Use this command to provide summary statistics for the search results, optionally grouped by a specified field.
See Stats Command. |
timestats |
Use this command to generate data for displaying statistical trends over time, optionally grouped by a specified field.
See Timestats Command. |