![]() The table command is a transforming command. For example, if you want to specify all fields that start with "value", you can use a wildcard such as value*. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. ![]() The list can be space-delimited or comma-delimited. Description: A list of valid field names. With the exception of a scatter plot to show trends in the relationships between discrete values of your data, you should not use the table command for charts. Use table command when you want to retain data in tabular format. The table command is similar to the fields command in that it lets you specify the fields you want to keep in your results. Columns are displayed in the same order that fields are specified. The pie chart implies that the value for views is 1 part of the total, when in fact views is the total.The table command returns a table that is formed by only the fields that you specify in the arguments. Using a pie chart implies that views is an action like addtocart and purchases. The views is a total count of all the actions, not just the addtocart and purchases actions. In this particular example, using a pie chart is misleading. Now these rows can be displayed in a column or pie chart where you can compare the values. Sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | transpose Use the transpose command to convert the columns of the single row into multiple rows. If you change to a pie chart, you see only the "views". Because the information about the views is placed on the X axis, this chart is confusing. When you switch to the Visualization tab, the data displays a chart with the "34282 views" as the X axis label and two columns, one for "addtocart "and one for "purchases". The values for addtocart and purchases show the number of events for those specific actions. The value for count AS views is the total number of the events that match the criteria sourcetype=access_* status=200, or the total count for all actions. This search produces a single row of data. Sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases Search all successful events and count the number of views, the number of times items were added to the cart, and the number of purchases.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |