The following table shows the built-in dataset kinds:Ī time-series index (tsidx) for storing event data.Ī metrics index (msidx) for storing metric data. For example, you must use the WHERE clause in the from command or the stats command in your search. Instead, you must add an aggregating clause or command to perform aggregation. However, with a dataset that has the index kind, which is an event index, you cannot perform aggregation. Each dataset kind has a specific set of native capabilities, such as filtering or aggregation.įor example, with a dataset that has the metric index kind you can perform some aggregation when you specify the dataset. The job dataset has a search ID (sid), which is the name of the job dataset.Īll datasets have a dataset kind. When you run a search, a temporary job dataset is created to hold the search results. Most temporary datasets are unnamed datasets. Datasets created using a dataset function.Here are some other examples of temporary datasets: Instead of specifying the main dataset, which is a permanent dataset, you can specify a dataset literal:Ī dataset literal is one example of a temporary dataset. | FROM main WHERE population > 5000000 SELECT state You can use a temporary dataset anywhere that you can specify a permanent dataset.Ī temporary dataset must be enclosed in square brackets ( ). For example, you might want to use a temporary dataset in an ad hoc search to test that the search processing language (SPL) is returning the type of results you want.Ī temporary dataset is a piece of unsaved, stand-alone SPL. However, there are situations in which you might want to use a temporary dataset. Most of the time when you specify a dataset in a search, you use the name of a permanent dataset. The default dataset for metrics ingested into the Splunk platform is the metric index.įor a complete list of the built-in datasets, see Built-in datasets. For example, the default dataset for events ingested into the Splunk platform is the main index. The built-in datasets are a set of permanent datasets that you can use. Lookups and views are other examples of permanent datasets.Įach permanent dataset within a module must have a unique name. When you add data to the Splunk platform, the data is stored in indexes on disk. If the dataset is in a different module, you specify the module name and the dataset name. To specify a dataset in a search, you use the dataset name. Every dataset has a specific set of native capabilities associated with it, which is referred to as the dataset kind. Some datasets are permanent and others are temporary. A dataset is a collection of data that you either want to search or that contains the results from a search.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |