...
Computes the total of the bytes sent column of the events in log access per status, and displays the total of each status in descending order of the total value.
Example 2:
* in log.application_log | count, sum col_name| interval 1 hour | execute result = column.count * 100 / column.sum ; result | interval 1 hourComputes the sum of a value in the field col_name in an hourly basis, and computes the percentage of that value out of the total number of events during that time.
Example 3:
* in log.iis log | avg time-taken | group by cs-uristem | execute if (count1 == NULL) THEN (count1 = 0);if (count2 == NULL) THEN (count2 = 0);if (count3 == NULL) THEN (count3 = 0);timetaken = column.avg; if (timetaken > 100 && timetaken < 300) THEN (count1 = count1 + 1);if (timetaken >= 300 && timetaken < 400) THEN (count2 = count2 + 1);if (timetaken >= 400 && timetaken < 500) THEN (count3 = count3 + 1);map = mapput(map,"100",count1);map = mapput(map,"300",count2);map = mapput(map,"400",count3);map as type,value | order by typeComputes the different type of URLs that their average time took between 100-300, 300-400 and 400-500 milliseconds based on the time-taken log field.