$my_variable2 = | from forwarders("forwarders:all") | eval sourcetype="forwarders" You can store data streams as SPL2 variables and union these data streams like this: For example, if you want to union three branches together, you will need three SPL2 variables. You must have the same number of variables as branches in your data stream. Variable names must begin with a dollar sign ($) and can only contain letters, numbers, or underscores. SPL2 variables allow you to store branches of your data streams as SPL2 statements. When constructing a pipeline using the SPL2 Pipeline Builder and performing a union, you must use SPL2 variables to properly union your data streams. Using SPL2 variables to union data streams in the SPL2 Pipeline Builder If you are using the Union function in the SPL2 View, you'll need to use SPL2 variables. If you are using the Union function in the Canvas View, click on the View Configuration button and select the function on the data stream branch that you'd like to union. Union Required arguments DataStream Syntax: Description: The data stream you want to perform the union on. Function Output collection> This function outputs a single data stream with schema R. If the combined streams do not have the same schema, an error is shown.įunction Input/Output Schema Function Input collection> This function takes in multiple data streams where each stream has schema R. Ĭombines streams with the same input schema into one stream with all of the events of the input streams. This topic describes how to use the function in the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |