What does the "showing" operator do?
In the "transaction" documentation (https://service.sumologic.com/help/Default.htm#Transaction_operator.htm%3FTocPath%3DSearch|Transaction%2520Analytics|_____0 ), one of the examples uses a "showing" parameter which is, as far as I can tell, not documented anywhere else:
... | transaction on sessionid
with "Starting session *" as init,
with "Initiating countdown *" thresh=2 as countdown_start,
with "Countdown reached *" thresh=2 as countdown_done,
with "Launch *" as launch
results by transactions showing max(_messagetime),
sum("1") for init as initcount
What does this "showing" operator do, and can it be added to a future version of the documentation?
-
Hi Clint,
I am glad that you are using our new Transaction Capability, and we will fix the confusion in the documentation. Showing is not a new parameter. In order to show aggregates other than count, you should use the showing clause. Also the operator count, counts the total number of logs in a transaction as opposed to giving per-state counts. That way in order to count, you need to use the aggregate function sum("1").
Please let us know if you have any additional comments on the Transaction capability.
Thanks,
Ariel
-
I'm afraid your answer doesn't really make things clearer for me. What, specifically, is the syntax of the "showing" operator? Given the example in the original question, it looks to me like it has three components: showing <function1>, <function2> for <identifier>. How do the two functions interact? What does the "for" clause do in this context? As far as I can tell, these questions aren't answered anywhere in the documentation.
Please sign in to leave a comment.
Comments
2 comments