commands

- fields

limit fields displayed

sourcetzpe=access_combinde ÷ fields status clientip

÷ fields - status clientip (remove fields)

- _raw (always shown unless otherwise)

- table
retains data in table format

| table JSESSIONID, price, product_name

- rename
rename fields

| rename JSESSIONID as "User Session"

no longer searchable in subsequent comcommands

- dedup
remove duplicate events

| dedup username

sort + sale_price Vendor

sort - sale_price Vendor

sort -sale_price Vendor limit=20

TRANSFORMING COMMANDS
order in data tables for stat purposes for visualization

- top: find the top 10 values returns count and percent

limit can be added (or limit 0 for all)

limit = int
countfield = string
percentfield = string

showcount = True/False
showpercent = True/False
showother = True/False

otherstr = string

- rare = least rows by Vendor

- stats count / distinct count (dc) / sum / average (avg) / list (all values) /
values (unique values)

sourcetzpe=vendor_sales | stats count as "Total Sells" by product_name, categoryId,

...

count(action) as ActionEvents, count as "Total Events"

- dc

- lookups - ctegorized as datatables

.csv file,
scripts, geodata

| input lookup games gamename AS product_name category as category

case-sensitive by default

output fields

- 1) create a lookup table

add new
search application

http_status.csv

| inputlookup http_status.csv

- 2) define the lookup

lookups- add lookup detinations

- 3) lookup command

| lookup http_status code as status

OUTPUT code as "HTTP Code", description as "HTTP description"

OUTPUTNEW

- reports need to be scheduled before being embedded.