Process your search results
Process, manipulate, and perform calculations on your search results by adding commands and functions to your SPL2 search.
You can process, manipulate, and perform calculations on your search results by adding commands and functions to your SPL2 search. If you’re using the from command to search your data, then you can also use the optional clauses supported in this command to work with your data.
SPL2 provides a broad and varied range of commands and functions for completing data processing actions on your search results. The following are some examples of data processing actions that use 2 of the most commonly used SPL2 commands: the eval command and the stats command.
For comprehensive information about all of the available SPL2 commands and functions, see the SPL2 Search Reference. In particular, for information about the eval and stats commands used in the examples that follow, see the eval and stats pages in the SPL2 Search Reference.
Evaluate string expressions
You can evaluate string expressions by using the eval command. For example, you can format all the string values in a given field into lowercase.
To add the eval command to your search, enter a pipe ( | ) character followed by this syntax:
eval <field> = <expression>categoryId field into lowercase, and then store the results in a new field called low_category:| Example scenario | Search statement |
|---|---|
|
Using the search command |
|
|
Using the from command, starting with the SELECT clause |
|
|
Using the from command, starting with the FROM clause |
|
Evaluate mathematical expressions
You can also evaluate mathematical expressions by using the eval command. For example, you can convert numerical values from bytes into kilobytes.
To add the eval command to your search, enter a pipe ( | ) character followed by this syntax:
eval <field> = <expression>| Example scenario | Search statement |
|---|---|
|
Using the search command |
|
|
Using the from command, starting with the SELECT clause |
|
|
Using the from command, starting with the FROM clause |
|
Calculate a sum
You can calculate the sum of all the values in a field by using the stats command.
To add the stats command to your search, enter a pipe ( | ) character followed by this syntax:
stats <aggregation>bytes field, and return a single field named sum(bytes) that contains the result:| Example scenario | Search statement |
|---|---|
|
Using the search command |
|
|
Using the from command, starting with the SELECT clause |
|
|
Using the from command, starting with the FROM clause |
|
If you’re using the from command to search your data, then you can choose to specify this calculation in the optional SELECT clause of the command instead of adding a stats command to your search.
| Example scenario | Search statement |
|---|---|
|
Using the from command, starting with the SELECT clause |
|
|
Using the from command, starting with the FROM clause |
|
_time and _raw fields in order to avoid dropping them from the search results. If you run a search in the Search page that drops the _time or _raw fields, the Timeline and Events viewer elements of the Search page do not display as expected.Count the number of distinct values
You can return a count of the distinct values in a field by using the stats command.
To add the stats command to your search, enter a pipe ( | ) character followed by this syntax:
stats <aggregation>actions field for each client IP address. These searches return the clientip field and a field named dc(action) that contains the result.| Example scenario | Search statement |
|---|---|
|
Using the search command |
|
|
Using the from command, starting with the SELECT clause |
|
|
Using the from command, starting with the FROM clause |
|
When using the from command to search your data, you can choose to specify this calculation in the optional SELECT and GROUP BY clauses of those commands instead of adding a stats command to your search.
| Example scenario | Search statement |
|---|---|
|
Using the from command, starting with the SELECT clause |
|
|
Using the from command, starting with the FROM clause |
|
_time and _raw fields in order to avoid dropping them from the search results. If you run a search in the Search page that drops the _time or _raw fields, the Timeline and Events viewer elements of the Search page do not display as expected.Next step
In many cases, when you use an SPL2 command or function to process your data, you create a new field to store the results of the command or function. After multiple data transformations, your events can become bloated with redundant or obsolete fields. Additionally, some fields might be generated with names that are not intuitive, or your processing actions might reframe the data in such a way that some pre-existing field names become removed from context.
For example, after you use an eval command to generate the kbytes field, the bytes field becomes redundant.
As another example, when you use the stats command to calculate an aggregation statistic, the name of the resulting field describes the aggregation function that was used, such as sum(bytes) or dc(action). These field names are not as meaningful or tied to context as names like total_website_traffic or action_categories.
You can sanitize your events by dropping unwanted fields or renaming fields.
To continue building out your search, see Modifying the fields in your search results.