You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/user/ppl/cmd/ad.md
+32-24Lines changed: 32 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,34 +1,38 @@
1
-
# ad (deprecated by ml command)
1
+
# ad (deprecated by ml command)
2
2
3
-
## Description
4
3
5
-
The `ad` command applies Random Cut Forest (RCF) algorithm in the ml-commons plugin on the search result returned by a PPL command. Based on the input, the command uses two types of RCF algorithms: fixed-in-time RCF for processing time-series data, batch RCF for processing non-time-series data.
6
-
## Syntax
4
+
The `ad` command applies Random Cut Forest (RCF) algorithm in the ml-commons plugin on the search results returned by a PPL command. Based on the input, the command uses two types of RCF algorithms: fixed-in-time RCF for processing time-series data, batch RCF for processing non-time-series data.
7
5
8
-
## Fixed In Time RCF For Time-series Data
6
+
## Syntax
9
7
10
-
ad [number_of_trees][shingle_size][sample_size][output_after][time_decay][anomaly_rate]\<time_field\>[date_format][time_zone][category_field]
11
-
* number_of_trees: optional. Number of trees in the forest. **Default:** 30.
12
-
* shingle_size: optional. A shingle is a consecutive sequence of the most recent records. **Default:** 8.
13
-
* sample_size: optional. The sample size used by stream samplers in this forest. **Default:** 256.
14
-
* output_after: optional. The number of points required by stream samplers before results are returned. **Default:** 32.
15
-
* time_decay: optional. The decay factor used by stream samplers in this forest. **Default:** 0.0001.
16
-
* anomaly_rate: optional. The anomaly rate. **Default:** 0.005.
17
-
* time_field: mandatory. Specifies the time field for RCF to use as time-series data.
18
-
* date_format: optional. Used for formatting time_field. **Default:** "yyyy-MM-dd HH:mm:ss".
19
-
* time_zone: optional. Used for setting time zone for time_field. **Default:** "UTC".
20
-
* category_field: optional. Specifies the category field used to group inputs. Each category will be independently predicted.
8
+
The following sections describe the syntax for each RCF algorithm type.
Copy file name to clipboardExpand all lines: docs/user/ppl/cmd/addcoltotals.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,22 @@
1
-
# AddColTotals
1
+
# addcoltotals
2
2
3
3
4
-
# Description
5
4
6
-
The `addcoltotals` command computes the sum of each column and add a summary event at the end to show the total of each column. This command works the same way `addtotals` command works with row=false and col=true option. This is useful for creating summary reports with subtotals or grand totals. The `addcoltotals` command only sums numeric fields (integers, floats, doubles). Non-numeric fields in the field list are ignored even if its specified in field-list or in the case of no field-list specified.
5
+
The `addcoltotals` command computes the sum of each column and adds a summary event at the end to show the total of each column. This command works the same way `addtotals` command works with row=false and col=true option. This is useful for creating summary reports with subtotals or grand totals. The `addcoltotals` command only sums numeric fields (integers, floats, doubles). Non-numeric fields in the field list are ignored even if its specified in field-list or in the case of no field-list specified.
-`field-list`: Optional. Comma-separated list of numeric fields to sum. If not specified, all numeric fields are summed.
13
14
-`labelfield=<field>`: Optional. Field name to place the label. If it specifies a non-existing field, adds the field and shows label at the summary event row at this field.
14
15
-`label=<string>`: Optional. Custom text for the totals row labelfield\'s label. Default is \"Total\".
15
16
16
-
# Example 1: Basic Example
17
+
# Example 1: Basic example
17
18
18
-
The example shows placing the label in an existing field.
19
+
The following example PPL query shows how to use `addcoltotals` to place the label in an existing field.
19
20
20
21
```ppl
21
22
source=accounts
@@ -38,9 +39,9 @@ fetched rows / total rows = 4/4
38
39
+-----------+---------+
39
40
```
40
41
41
-
# Example 2: Adding column totals and adding a summary event with label specified.
42
+
# Example 2: Adding column totals and adding a summary event with label specified
42
43
43
-
The example shows adding totals after a stats command where final summary event label is \'Sum\' and row=true value was used by default when not specified. It also added new field specified by labelfield as it did not match existing field.
44
+
The following example PPL query shows how to use `addcoltotals` to add totals after a stats command where final summary event label is \'Sum\' and row=true value was used by default when not specified. It also added new field specified by labelfield as it did not match existing field.
44
45
45
46
```ppl
46
47
source=accounts
@@ -63,7 +64,7 @@ fetched rows / total rows = 3/3
63
64
64
65
# Example 3: With all options
65
66
66
-
The example shows using addcoltotals with all options set.
67
+
The following example PPL query shows how to use `addcoltotals` with all options set.
Copy file name to clipboardExpand all lines: docs/user/ppl/cmd/addtotals.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,13 @@
1
-
# AddTotals
1
+
# addtotals
2
2
3
3
4
-
## Description
5
4
6
-
The `addtotals` command computes the sum of numeric fields and appends a row with the totals to the result. The command can also add row totals and add a field to store row totals. This is useful for creating summary reports with subtotals or grand totals. The `addtotals` command only sums numeric fields (integers, floats, doubles). Non-numeric fields in the field list are ignored even if it\'s specified in field-list or in the case of no field-list specified.
5
+
The `addtotals` command computes the sum of numeric fields and appends a row with the totals to the result. The command can also add row totals and add a field to store row totals. This is useful for creating summary reports with subtotals or grand totals. The `addtotals` command only sums numeric fields (integers, floats, doubles). Non-numeric fields in the field list are ignored even if it's specified in field-list or in the case of no field-list specified.
-`field-list`: Optional. Comma-separated list of numeric fields to sum. If not specified, all numeric fields are summed.
@@ -16,9 +17,9 @@ The `addtotals` command computes the sum of numeric fields and appends a row wit
16
17
-`label=<string>`: Optional. Custom text for the totals row labelfield\'s label. Default is \"Total\". This is applicable when col=true. This does not have any effect when labelfield and fieldname parameter both have same value.
17
18
-`fieldname=<field>`: Optional. Calculates total of each row and add a new field to store this total. This is applicable when row=true.
18
19
19
-
## Example 1: Basic Example
20
+
## Example 1: Basic example
20
21
21
-
The example shows placing the label in an existing field.
22
+
The following example PPL query shows how to use `addtotals` to place the label in an existing field.
22
23
23
24
```ppl
24
25
source=accounts
@@ -41,9 +42,9 @@ fetched rows / total rows = 4/4
41
42
+-----------+---------+-------+
42
43
```
43
44
44
-
## Example 2: Adding column totals and adding a summary event with label specified.
45
+
## Example 2: Adding column totals and adding a summary event with label specified
45
46
46
-
The example shows adding totals after a stats command where final summary event label is \'Sum\'. It also added new field specified by labelfield as it did not match existing field.
47
+
The following example PPL query shows how to use `addtotals` to add totals after a stats command where final summary event label is \'Sum\'. It also added new field specified by labelfield as it did not match existing field.
if row=true in above example, there will be conflict between column added for column totals and column added for row totals being same field \'Total\', in that case the output will have final event row label null instead of \'Sum\' because the column is number type and it cannot output String in number type column.
70
+
if row=true in the preceding example, there will be conflict between column added for column totals and column added for row totals being same field \'Total\', in that case the output will have final event row label null instead of \'Sum\' because the column is number type and it cannot output String in number type column.
70
71
71
72
```ppl
72
73
source=accounts
@@ -91,7 +92,7 @@ fetched rows / total rows = 5/5
91
92
92
93
## Example 3: With all options
93
94
94
-
The example shows using addtotals with all options set.
95
+
The following example PPL query shows how to use `addtotals` with all options set.
Copy file name to clipboardExpand all lines: docs/user/ppl/cmd/append.md
+16-10Lines changed: 16 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,26 @@
1
-
# append
1
+
# append
2
2
3
-
## Description
4
3
5
-
The `append` command appends the result of a sub-search and attaches it as additional rows to the bottom of the input search results (The main search).
4
+
The `append` command appends the result of a sub-search and attaches it as additional rows to the bottom of the input search results (the main search).
5
+
6
6
The command aligns columns with the same field names and types. For different column fields between the main search and sub-search, NULL values are filled in the respective rows.
7
-
## Syntax
8
7
9
-
append \<sub-search\>
10
-
* sub-search: mandatory. Executes PPL commands as a secondary search.
8
+
## Syntax
9
+
10
+
Use the following syntax:
11
+
12
+
`append <sub-search>`
13
+
*`sub-search`: mandatory. Executes PPL commands as a secondary search.
11
14
15
+
12
16
## Limitations
13
17
14
18
***Schema Compatibility**: When fields with the same name exist between the main search and sub-search but have incompatible types, the query will fail with an error. To avoid type conflicts, ensure that fields with the same name have the same data type, or use different field names (e.g., by renaming with `eval` or using `fields` to select non-conflicting columns).
15
19
16
-
## Example 1: Append rows from a count aggregation to existing search result
17
20
18
-
This example appends rows from "count by gender" to "sum by gender, state".
21
+
## Example 1: Append rows from a count aggregation to existing search results
22
+
23
+
The following example appends rows from "count by gender" to "sum by gender, state".
19
24
20
25
```ppl
21
26
source=accounts | stats sum(age) by gender, state | sort -`sum(age)` | head 5 | append [ source=accounts | stats count(age) by gender ]
Copy file name to clipboardExpand all lines: docs/user/ppl/cmd/appendcol.md
+16-10Lines changed: 16 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,15 +1,18 @@
1
-
# appendcol
1
+
# appendcol
2
2
3
-
## Description
4
3
5
-
The `appendcol` command appends the result of a sub-search and attaches it alongside with the input search results (The main search).
6
-
## Syntax
4
+
The `appendcol` command appends the result of a sub-search and attaches it alongside the input search results (the main search).
7
5
8
-
appendcol [override=\<boolean\>]\<sub-search\>
6
+
## Syntax
7
+
8
+
Use the following syntax:
9
+
10
+
`appendcol [override=<boolean>] <sub-search>`
9
11
* override=<boolean>: optional. Boolean field to specify should result from main-result be overwritten in the case of column name conflict. **Default:** false.
10
-
* sub-search: mandatory. Executes PPL commands as a secondary search. The sub-search uses the same data specified in the source clause of the main search results as its input.
12
+
*`sub-search`: mandatory. Executes PPL commands as a secondary search. The sub-search uses the same data specified in the source clause of the main search results as its input.
11
13
12
-
## Example 1: Append a count aggregation to existing search result
14
+
15
+
## Example 1: Append a count aggregation to existing search results
13
16
14
17
This example appends "count by gender" to "sum by gender, state".
## Example 4: Override case of column name conflict
105
111
106
-
This example demonstrates the override option when column names conflict between main search and sub-search.
112
+
The following example PPL query demonstrates how to use `appendcol` with the override option when column names conflict between main search and sub-search.
Copy file name to clipboardExpand all lines: docs/user/ppl/cmd/appendpipe.md
+12-7Lines changed: 12 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,15 +1,18 @@
1
-
# appendpipe
1
+
# appendpipe
2
2
3
-
## Description
4
3
5
-
The `appendpipe` command appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first.The subpipeline is run when the search reaches the appendpipe command.
4
+
The `appendpipe` command appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first.The subpipeline is run when the search reaches the appendpipe command.
6
5
The command aligns columns with the same field names and types. For different column fields between the main search and sub-search, NULL values are filled in the respective rows.
7
-
## Syntax
8
6
9
-
appendpipe [\<subpipeline\>]
10
-
* subpipeline: mandatory. A list of commands that are applied to the search results from the commands that occur in the search before the `appendpipe` command.
7
+
## Syntax
8
+
9
+
Use the following syntax:
10
+
11
+
`appendpipe [<subpipeline>]`
12
+
*`subpipeline`: mandatory. A list of commands that are applied to the search results from the commands that occur in the search before the `appendpipe` command.
11
13
12
-
## Example 1: Append rows from a total count to existing search result
14
+
15
+
## Example 1: Append rows from a total count to existing search results
13
16
14
17
This example appends rows from "total by gender" to "sum by gender, state" with merged column of same field name and type.
15
18
@@ -37,6 +40,7 @@ fetched rows / total rows = 6/6
37
40
+------+--------+-------+-------+
38
41
```
39
42
43
+
40
44
## Example 2: Append rows with merged column names
41
45
42
46
This example appends rows from "count by gender" to "sum by gender, state".
@@ -65,6 +69,7 @@ fetched rows / total rows = 6/6
65
69
+----------+--------+-------+
66
70
```
67
71
72
+
68
73
## Limitations
69
74
70
75
***Schema Compatibility**: Same as command `append`, when fields with the same name exist between the main search and sub-search but have incompatible types, the query will fail with an error. To avoid type conflicts, ensure that fields with the same name have the same data type, or use different field names (e.g., by renaming with `eval` or using `fields` to select non-conflicting columns).
0 commit comments