Addfields Command
Use the addfields
command to generate aggregated data within groups identified by the link
command. The output of the command includes one field for each aggregation in the stats
sub-query.
You can use addfields
command with the run time fields that are
generated using stats
, eventstats
, and
eval
commands.
Syntax
* | link <field_name> | addfields <subquery> [, <subquery>]
where subquery
can be expanded as follows: [
<logical_expression> / <boolean_expression> |
<eventstats_functions> / <stats_functions> ]
Parameters
The following table lists the parameters used in this command, along with their descriptions.
Parameter | Description |
---|---|
|
Each sub-query must begin with a logical or a boolean expression to select a subset of data within each group. See Search Command and Where Command for details on the expressions. |
eventstats_functions |
The eventstats functions to apply on group properties. See Eventstats Command for the details on the available functions. |
|
The stats functions to apply on the selected data. See Stats Command for details on the available functions. |
For examples of using this command in typical scenarios, see:
- Link by Using SQL Statement as the Field of Analysis in Using Oracle Log Analytics
- Analyze the Time Taken Between Steps in a Transaction in Using Oracle Log Analytics
- Use Link Navigation Functions to Identify Events in a Database in Using Oracle Log Analytics
The following command returns counts based on entity name pattern for each entity type:
* | link 'Entity Type'
| addfields
[ substr(Entity, 0, 3) = 'adc' | stats count as 'ADC Count' ],
[ substr(Entity, 0, 3) = 'slc' | stats count as 'SLC Count']
The following command returns counts based on entity name pattern for each entity type:
* | link 'Entity Type'
| stats avg('Content Size') as 'Content Size', earliest(Severity) as Severity
| addfields
[ * | where 'Entity Type' = 'Cluster Database'
| sort 'Content Size'
| eventstats first('Content Size') by Severity
]
Identify the last event using the row number:
'Log Source' = 'Database Alert Logs' and Label != null and Entity = MyDB
| rename Entity as Database
| link span = 1minute Time, Database, Label
| sort Database, 'Start Time'
| eventstats rownum as 'Row Number' by Database
| addfields
[ * | where Label = 'Abnormal Termination'
| eventstats last('Row Number') as 'Crash Row'
]