Addfields Command

Use the addfields command to generate aggregated data within groups identified by the link command. The output of the command includes one field for each aggregation in the stats sub-query.

You can use addfields command with the run time fields that are generated using stats, eventstats, and eval commands.

Syntax

* | link <field_name> | addfields <subquery> [, <subquery>]

where subquery can be expanded as follows: [ <logical_expression> / <boolean_expression> | <eventstats_functions> / <stats_functions> ]

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter	Description
`logical_expression`, `boolean_expression`	Each sub-query must begin with a logical or a boolean expression to select a subset of data within each group. See Search Command and Where Command for details on the expressions.
`eventstats_functions`	The eventstats functions to apply on group properties. See Eventstats Command for the details on the available functions.
`stats_functions`	The stats functions to apply on the selected data. See Stats Command for details on the available functions.

For examples of using this command in typical scenarios, see:

Link by Using SQL Statement as the Field of Analysis in Using Oracle Log Analytics
Analyze the Time Taken Between Steps in a Transaction in Using Oracle Log Analytics
Use Link Navigation Functions to Identify Events in a Database in Using Oracle Log Analytics

The following command returns counts based on entity name pattern for each entity type:

* | link 'Entity Type' 
| addfields 
    [ substr(Entity, 0, 3) = 'adc' | stats count as 'ADC Count' ], 
    [ substr(Entity, 0, 3) = 'slc' | stats count as 'SLC Count']

The following command returns counts based on entity name pattern for each entity type:

* | link 'Entity Type' 
| stats avg('Content Size') as 'Content Size', earliest(Severity) as Severity 
| addfields 
    [ * | where 'Entity Type' = 'Cluster Database'     
        | sort 'Content Size' 
        | eventstats first('Content Size') by Severity 
    ]

Identify the last event using the row number:

'Log Source' = 'Database Alert Logs' and Label != null and Entity = MyDB
| rename Entity as Database
| link span = 1minute Time, Database, Label
| sort Database, 'Start Time'
| eventstats rownum as 'Row Number' by Database
| addfields
   [ * | where Label = 'Abnormal Termination'
       | eventstats last('Row Number') as 'Crash Row'
   ]