Search Anywhere Framework Language
A
addinfo
Adds fields to each record containing general search information: the start and end time boundaries of the search, the start time of the execution, and its ID.
aggs
Performs statistical operations on data using internal storage mechanisms.
append
Appends data obtained from a search within the append command to the main results.
B
bin
Splits continuous numeric values into discrete sets (bins) based on the specified field <field>.
C
chart
Returns results in table format.
clicksource
Allows retrieving data from a Clickhouse database.
collect
Exports data to the specified index.
D
db
Executes a query to a database.
dedub
Keeps only unique records in the results based on specified fields.
E
eval
Performs various operations on the data.
eventstats
Performs statistical operations on the data. Stores the results in a new field.
F
fields
Filters the output fields. It allows adding fields to the query or excluding them from it. Supports wildcard.
fillnull
Fills in null values for the specified fields.
foreach
The foreach command executes subqueries with a pattern to iterate over the following elements:
- each field matching a wildcard
- each element of a multivalue field
format
Converts the results from the previous part of a search query into a logical expression for further search.
H
hdhsource
Allows retrieving data from Hadoop Hive.
head
Returns the first N results of a query. Defaults to 10.
I
inputlookup
Returns data from a lookup.
iplocation
Extracts location information from an IP address.
J
join
Combines the results of a subsearch with those of the main search.
L
loadjob
Loads the results of a background task.
lookup
Retrieves data from a predefined lookup. The command compares specified fields in the event and the lookup. On a full match, the event is enriched with the specified fields from the lookup.
M
makeresults
Creates empty events with a timestamp.
map
Executes a search query for each incoming event.
mvexpand
Expands the values of a multivalue field into separate events, creating one event for each value in the multivalue field.
O
outputlookup
Writes the search result to a table (or file) with the ability to update or append data. Supports parameter configuration for managing the writing and updating process.
P
peval
Performs various operations on the data. It is based on internal storage mechanisms.
predict
Performs prediction based on the trained model and input data.
R
rename
Renames fields.
rest
Executes a query to the storage REST API.
rex
Allows extracting values from a string using a regular expression.
S
script
Executes a script and appends the results to the query.
script_mc
Executes a script and appends the results to the query.
search
Performs a search on the data.
sort
Sorts data based on given parameters.
source
Retrieves data from sources.
spath
Performs a search on XML or JSON strings.
stats
Performs statistical operations on data.
streamstats
Performs statistical operations on streaming data.
T
table
Creates a table from specified fields. Supports wildcard.
timeaggs
Performs search and generates an array of data distributed along a timeline using the internal mechanisms of the storage system.
timechart
Performs search and generates an array of data distributed along a timeline.
train
Performs model training on input data. The result of the command is the model ID, which can be used in the predict command.
transaction
Performs search and generates an array of data, grouping it by matches.
transpose
Returns the specified number of rows (search results) as columns (a list of field values), so that each search row becomes a column.
W
where
Performs a refining search on the retrieved data.