- Implementing Splunk 7(Third Edition)
- James D. Miller
- 233字
- 2021-08-27 19:42:43
Split (row or column)
The Splunk configuration options that are available for split (row and column) depend on the type of attribute you choose for them.
Some split configuration options are specific to either row or column elements while others are available for either element type.
Those configuration options, regardless of attribute type, are:
- Both split row and split column:
- Max rows and max columns: This is the maximum number of rows or columns that can appear in the results table
- Totals: Indicates whether to include a row or column that represents the total of all the others in an attribute called ALL
- Only split row elements:
- Label: Is used to override the attribute name with a different text or character string
- Sort: Used to reorder the split rows
- Only split column:
- Group Others: Indicates whether to group any results excluded by the max columns limit into a separate OTHER column
Configuration options dependent upon attribute type are:
- String attributes:
- There are no configuration options specific to string attributes that are common to both split row and split column elements
- Numeric attributes:
- Create ranges: Indicates whether you want your numeric values represented as ranges (yes) or listed separately (no)
- Boolean attributes:
- You can provide alternate labels for true and false values
- Timestamp attributes:
- Period: Use this to bucket your timestamp results by year, month, day, hour, minute, or second