AlertsInInternalServer
A dataset object in the example InternalServer data model.
Select
This is an example of a dataset view. These views are generated from dataset objects inside a data model. The cmdlet will use the Splunk APIs to process the following query components; the cmdlet processes other parts of the query client-side in memory.
All columns support server-side processing for the following operators and functions:
- Operators: =, <, >, >=, <=, IN, IS NULL, IS NOT NULL, NOT
- Functions: AVG, SUM, MIN, MAX, COUNT, STDEV, STDEVP, VAR, VARP
LIMIT, ORDER BY, GROUP BY, and HAVING are also processed server-side. An exception is the case when in the selected columns, there are fields that are not in the GROUP BY, and GROUP BY, criteria, and limiting are handled client-side.
In the case when an unsupported criteria or function is used, all processing will be completed client-side (except selecting specified fields). This is also the case when a SELECT statement has a column that is not in the GroupBy clause.
For example, the cmdlet uses the Splunk APIs to process the following queries.
SELECT Component, Timeendpos as Timeend FROM [AlertsInInternalServer] WHERE Component = 'Saved' OR EventType != '' AND Priority IS NOT NULL AND Linecount NOT IN ('1', '2') ORDER BY Priority DESC LIMIT 5 SELECT AVG(Suppressed), Priority FROM [AlertsInInternalServer] GROUP BY Priority HAVING AVG(Suppressed) > 0
Columns
Name | Type | Description |
_time | Datetime | |
component | String | |
date_hour | Int | |
date_mday | Int | |
date_minute | Int | |
date_month | String | |
date_second | Int | |
date_wday | String | |
date_year | Int | |
date_zone | Int | |
digest_mode | Int | |
dispatch_time | Int | |
host | String | |
linecount | Int | |
log_level | String | |
priority | String | |
punct | String | |
savedsearch_id | String | |
scheduled_time | Int | |
search_type | String | |
server_alert_actions | String | |
server_app | String | |
server_message | String | |
server_result_count | Int | |
server_run_time | Double | |
server_savedsearch_name | String | |
server_sid | String | |
server_status | String | |
server_user | String | |
source | String | |
sourcetype | String | |
splunk_server | String | |
suppressed | Int | |
thread_id | String | |
timeendpos | Int | |
timestartpos | Int | |
window_time | Int |