Synopsis
Changes the display names, formats, and/or time units of column(s) in the summary table resulting from the complex search(es) preceding the pipe character.
Syntax
display [Result_Column_Name] (as [New _Column_Name]) (in [Format_Type] format)(["Input_Unit"],)(["Output_Unit"]) (, [RESULT_COLUMN_NAME] (as [NEW_COLUMN_NAME] )…)
Required Arguments
Result_Column_Name
Syntax: <character string>
Description: The name of the column header in the summary table resulting from the complex search, whose name, format, or output unit you want to change.
Optional Arguments
New_Column_Name
Syntax: <character string>
Description: The new display name of the column header in the summary table.
Format_Type
Syntax: number, simple, time, date, volume, regexp, or expression
Description: The display format of the column header values in the summary table. See format.
Description
This function is used to change the display mode of any of the column names and/or values in the summary table resulting from the Complex Search, by:
- Changing the column name to a new column name.
- Displaying the column values in a specified format.
- Displaying the column values in a specified output unit.
- Assuming that the input unit of the column values is the specified unit, and converting it to the specified output unit.
The display of several columns in the summary table of a complex search can be changed by placing them in a comma-separated list.
Examples
Example 1:
* in log.access | count , avg Bytes Sent | group by url | display avg as Average Bytes in volume format
For each URL in the access log events, show the number of log events and the average of the Bytes Sent column. In the table, replaces the avg header with Average Bytes, and shows the values in volume format in Bytes (default).
Example 2:
* in log.access | avg time taken | display avg in time format(“SEC”,”MIN”)
In the access log events, calculates the average of the time taken column values, assumes that the input value is in seconds, and converts and displays it in minutes.