sirare
Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.
Description
The sirare command is the summary indexing version of the rare command, which returns the least common values of a field or combination of fields. The sirare command populates a summary index with the statistics necessary to generate a rare report. After you populate the summary index, use the regular rare command with the exact same search string as the rare command search to report against it.
Syntax
sirare [<top-options>...] <field-list> [<by-clause>]
Required arguments
<field-list>
Syntax: <string>,...
Description: Comma-delimited list of field names.
Optional arguments
<by-clause>
Syntax: BY <field-list>
Description: The name of one or more fields to group by.
<top-options>
Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
Description: Options that specify the type and number of values to display. These are the same <top-options> used by the rare and top commands.
Top options
countfield
Syntax: countfield=<string>
Description: Name of a new field to write the value of count.
Default: "count"
limit
Syntax: limit=<int>
Description: Specifies how many tuples to return, "0" returns all values.
percentfield
Syntax: percentfield=<string>
Description: Name of a new field to write the value of percentage.
Default: "percent"
showcount
Syntax: showcount=<bool>
Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
Default: true
showpercent
Syntax: showpercent=<bool>
Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
Default: true
Examples
Example 1:
Compute the necessary information to later do 'rare foo bar' on summary indexed results.
... | sirare foo bar