韓誥傭痔

4 孜批扶抗扯我?快我扼找抉把我?快

妊志快扳批扶抗扯我?快扶忘志快忱快扶快抉志忱快扼批扭抉忱把忪忘扶快批:

孜批扶抗扯我?快扼批扶忘志快忱快扶快忌快戒忱抉忱忘找扶我抒我扶扳抉把技忘扯我?忘. 妞抖我抗扶我找快扶忘扳批扶抗扯我?批忱忘忌我扼找快志我忱快抖我扼志快忱快找忘?快.

Function	Description
change	妒戒扶抉扼把忘戒抖我抗快我戒技快?批扭把快找抒抉忱扶快我扶忘?扶抉志我?快志把快忱扶抉扼找我.
changecount	坎把抉? 扭把抉技快扶忘我戒技快?批扼批扼快忱扶我抒志把快忱扶抉扼找我批扶批找忘把忱快扳我扶我扼忘扶抉忍扭快把我抉忱忘快志忘抖批忘扯我?快.
count	坎把抉? 志把快忱扶抉扼找我批扶批找忘把忱快扳我扶我扼忘扶抉忍扭快把我抉忱忘快志忘抖批忘扯我?快.
countunique	坎把抉? ?快忱我扶扼找志快扶我抒志把快忱扶抉扼找我批扶批找忘把忱快扳我扶我扼忘扶抉忍扭快把我抉忱忘快志忘抖批忘扯我?快.
find	妤把抉扶忘抖忘忪快?快志把快忱扶抉扼找抗抉?忘扼快扭抉忱批忱忘把忘批忱快扳我扶我扼忘扶抉技扭快把我抉忱批快志忘抖批忘扯我?快.
first	妤把志忘 (扶忘?扼找忘把我?忘) 志把快忱扶抉扼找批扶批找忘把忱快扳我扶我扼忘扶抉忍扭快把我抉忱忘快志忘抖批忘扯我?快.
fuzzytime	妤把抉志快把忘抗抉抖我抗抉扼快志把快技快扭忘扼我志扶抉忍忘忍快扶找忘把忘戒抖我抗批?快抉忱志把快技快扶忘韓誥傭痔扼快把志快把忘/扭把抉抗扼我?忘.
last	妖忘?扶抉志我?忘志把快忱扶抉扼找.
logeventid	妤把抉志快把忘忱忘抖我扼快 ID 忱抉忍忘?忘?忘扭抉扼抖快忱?快忍批扶抉扼忘批快志我忱快扶扯我?我扭抉忱批忱忘把忘扼忘把快忍批抖忘把扶我技我戒把忘戒抉技.
logseverity	妍戒忌我?扶抉扼找扭抉扼抖快忱?快忍批扶抉扼忘批忱扶快志扶我抗.
logsource	妤把抉志快把忘忱忘抖我我戒志抉把快志我忱快扶扯我?快扭抉扼抖快忱?快忍批扶抉扼忘批忱扶快志扶我抗抉忱忍抉志忘把忘把快忍批抖忘把扶抉技我戒把忘戒批.
monodec	妤把抉志快把我找快忱忘抖我 ?快忱抉扮抖抉忱抉技抉扶抉找抉扶抉忍扼技忘?快?忘志把快忱扶抉扼找我.
monoinc	妤把抉志快把我找快忱忘抖我 ?快忱抉扮抖抉忱抉技抉扶抉找抉扶抉忍扭抉志快?忘?忘志把快忱扶抉扼找我.
nodata	妤把抉志快把我忱忘抖我扶快技忘扭把我技?快扶我抒扭抉忱忘找忘抗忘.
percentile	P-找我扭快把扯快扶找我抖扭快把我抉忱忘, 忍忱快 ?快 P (扭把抉扯快扶忘找) 抉忱把快?快扶找把快?我技扭忘把忘技快找把抉技.
rate	妤把抉扼快折扶忘扼找抉扭忘扭抉扼快抗批扶忱我扭抉志快?忘?忘批技抉扶抉找抉扶抉把忘扼找批?快技忌把抉?忘折批批抉抗志我把批忱快扳我扶我扼忘扶抉忍志把快技快扶扼抗抉忍扭快把我抉忱忘.

妝忘?快忱扶我折抗我扭忘把忘技快找把我

/host/key ?快戒忘?快忱扶我折抗我抉忌忘志快戒扶我扭把志我扭忘把忘技快找忘把戒忘扳批扶抗扯我?快抗抉?快扼快把快扳快把快扶扯我把忘?批扶忘我扼找抉把我?批扼找忘志抗快忱抉技忘?我扶忘
(sec|#num)<:time shift> ?快戒忘?快忱扶我折抗我忱把批忍我扭忘把忘技快找忘把戒忘扳批扶抗扯我?快抗抉?快批扭批?批?批扶忘我扼找抉把我?批扼找忘志抗快忱抉技忘?我扶忘, 忍忱快 ?快: - sec - 技忘抗扼我技批技扭快把我抉忱忘快志忘抖批忘扯我?快批扼快抗批扶忱忘技忘 (技抉忍批扼快抗抉把我扼找我找我志把快技快扼批扳我抗扼我) 我抖我 - #num - 技忘抗扼我技批技抉扭扼快忍快志忘抖批忘扯我?快批扶忘?扶抉志我?快技扭把我抗批扭?忘?批志把快忱扶抉扼找我 (忘抗抉我技扭把快找抒抉忱我抒快扮抉戒扶忘抗忘) - time shift (抉扭扯我抉扶抉) 抉技抉忍批?忘志忘扭抉技快把忘?快找忘折抗快快志忘抖批忘扯我?快扶忘戒忘忱批志把快技快. 妤抉忍抖快忱忘?找快志我扮快忱快找忘?忘戒忘扶忘志抉?快?快志把快技快扶扼抗抉忍扭抉技快把忘?忘.

坏快找忘?我扳批扶抗扯我?快

妖快抗快抉扭扮找快扶忘扭抉技快扶快抉扭忘把忘技快找把我技忘扳批扶抗扯我?快:

妤忘把忘技快找把我扳批扶抗扯我?快扼批抉忱志抉?快扶我戒忘把快戒抉技
妍扭扯我抉扶我扭忘把忘技快找把我扳批扶抗扯我?快 (我抖我忱快抖抉志我扭忘把忘技快找忘把忘) 扼批抉戒扶忘折快扶我扼忘 < >
妤忘把忘技快找把我扼扭快扯我扳我折扶我戒忘扳批扶抗扯我?批抉扭我扼忘扶我扼批批戒扼志忘抗批扳批扶抗扯我?批
/host/key 我 (sec|#num)<:time shift> 扭忘把忘技快找把我扶我抗忘忱忘扶快扼技快?批忌我找我扭抉忱扶忘志抉忱扶我扯我技忘

change(/host/key)

妒戒扶抉扼把忘戒抖我抗快我戒技快?批扭把快找抒抉忱扶快我扶忘?扶抉志我?快志把快忱扶抉扼找我.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.
妝忘扼找把我扶忍抉志快志把忘?忘: 0 - 志把快忱扶抉扼找我扼批 ?快忱扶忘抗快; 1 - 志把快忱扶抉扼找我扼快把忘戒抖我抗批?批.

妤忘把忘技快找把我: 扭抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我.

妞抉技快扶找忘把我:

妖批技快把我折抗忘把忘戒抖我抗忘 ?快忌我找我我戒把忘折批扶忘找忘, 抗忘抉扮找抉扼快志我忱我扼忘抉志我技忱抉抖忘戒扶我技扭把我技快把我技忘志把快忱扶抉扼找我 ('previous' 我 'latest' 志把快忱扶抉扼找 = 把忘戒抖我抗忘):
'1' 我 '5' = +4
'3' 我 '1' = -2
'0' 我 '-2.5' = -2.5
妤抉忍抖快忱忘?找快找忘抗抉?快: abs 戒忘扭抉把快?快?快.

妤把我技快把我:

change(/host/key)>10

changecount(/host/key,(sec|#num)<:time shift>,<mode>)

坎把抉? 扭把抉技快扶忘我戒技快?批扼批扼快忱扶我抒志把快忱扶抉扼找我批抉抗志我把批忱快扳我扶我扼忘扶抉忍扭快把我抉忱忘快志忘抖批忘扯我?快.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗快扭忘把忘技快找把快;
mode (技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘) - 技抉忍批?快志把快忱扶抉扼找我: all - 把忘折批扶忘找我扼志快扭把抉技快扶快 (扭抉忱把忘戒批技快志忘扶抉); dec - 忌把抉? 扼快扼技忘?批?快; inc - 忌把抉? 扼快扭抉志快?忘志忘

妝忘扶快扶批技快把我折抗快找我扭抉志快志把快忱扶抉扼找我, 扭忘把忘技快找忘把 mode 扼快戒忘扶快技忘把批?快.

妤把我技快把我:

changecount(/host/key,1w) #the number of value changes for the last week until now
       changecount(/host/key,#10,"inc") #the number of value increases (relative to the adjacent value) among the last 10 values
       changecount(/host/key,24h,"dec") #the number of value decreases (relative to the adjacent value) for the last 24 hours until now

count(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)

坎把抉? 志把快忱扶抉扼找我批扶批找忘把忱快扳我扶我扼忘扶抉忍扭快把我抉忱忘快志忘抖批忘扯我?快.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
抉扭快把忘找抉把 (技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘). 妤抉忱把忪忘扶我 operators:
eq - ?快忱扶忘抗抉 (扭抉忱把忘戒批技快志忘扶抉戒忘 integer, float)
ne - 扶我?快 ?快忱扶忘抗抉
* gt* - 志快?快抉忱
ge - 志快?快我抖我 ?快忱扶忘抗抉
* lt* - 技忘?快抉忱
* le* - 技忘?快我抖我 ?快忱扶忘抗抉
like (扭抉忱把忘戒批技快志忘扶抉戒忘 string, text, log) - 抉忱忍抉志忘把忘忘抗抉扼忘忱把忪我抉忌把忘戒忘扯 (把忘戒抖我抗批?快志快抖我抗忘我技忘抖忘扼抖抉志忘)
bitand - 忌我找抉志扼抗抉 AND
* regexp* - 扭抉忱批忱忘把忘?快把快忍批抖忘把扶抉忍我戒把忘戒忘忱忘找抉忍批 pattern 抉扼快找?我志抉扶忘技忘抖忘我志快抖我抗忘扼抖抉志忘
* iregexp* - 扭抉忱批忱忘把忘?快把快忍批抖忘把扶抉忍我戒把忘戒忘忱忘找抉忍批 pattern 扶快抉扼快找?我志抉扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘
** pattern** - 戒忘抒找快志忘扶我抉忌把忘戒忘扯 (忘把忍批技快扶找我扼找把我扶忍抉志忘技抉把忘?批忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘).

妞抉技快扶找忘把我:

Float 扼找忘志抗快扼快扭抉抗抖忘扭忘?批扼忘扭把快扯我戒扶抉扮?批抉忱 2.22e-16;
like 扶我?快扭抉忱把忪忘扶抉抗忘抉抉扭快把忘找抉把戒忘扯快抖抉忌把抉?扶快志把快忱扶抉扼找我;
- like* 我 * bitand* 扶我扼批扭抉忱把忪忘扶我抗忘抉抉扭快把忘找抉把我戒忘 float 志把快忱扶抉扼找我;
妝忘志把快忱扶抉扼找我 string, text, 我 log 扭抉忱把忪忘扶我扼批扼忘技抉抉扭快把忘找抉把我 eq, ne, like, regexp and iregexp;
妊忘 bitand 抗忘抉抉扭快把忘找抉把抉技, 折快找志把找我扭忘把忘技快找忘把 pattern 扼快技抉忪快扶忘志快扼找我抗忘抉忱志忘忌把抉?忘, 把忘戒忱志抉?快扶忘扼忘 '/': number_to_compare_with/mask. count() 我戒把忘折批扶忘志忘 "忌我找抉志扼抗抉 AND" 我戒志把快忱扶抉扼找我我 技忘扼抗快 我批扭抉把快?批?快把快戒批抖找忘找扼忘 忌把抉?喳戒忘喳批扭抉把快?我志忘?快喳扼忘. 均抗抉 ?快把快戒批抖找忘找 "忌我找抉志扼抗抉 AND" ?快忱扶忘抗 number_to_compare_with, 志把快忱扶抉扼找扼快把忘折批扶忘.
均抗抉扼批 number_to_compare_with 我 * mask* ?快忱扶忘抗我, 扭抉找把快忌扶抉 ?快扼忘技抉扶忘志快扼找我 mask (忌快戒 '/').
妊忘 regexp 我抖我 iregexp 抗忘抉抉扭快把忘找抉把抉技, 折快找志把找我扭忘把忘技快找忘把 pattern 技抉忪快忌我找我抉忌我折忘扶我抖我忍抖抉忌忘抖扶我 (抗抉?我扭抉折我?快扼忘 '@') 把快忍批抖忘把扶我我戒把忘戒. 孝扼抖批折忘?批忍抖抉忌忘抖扶我抒把快忍批抖忘把扶我抒我戒把忘戒忘, 抉扼快找?我志抉扼找扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘扼快扶忘扼抖快?批?快我戒扭抉忱快扮忘志忘?忘忍抖抉忌忘抖扶我抒把快忍批抖忘把扶我抒我戒把忘戒忘. 妝忘扭抉找把快忌快扭抉忱批忱忘把忘?忘把快忍批抖忘把扶抉忍我戒把忘戒忘, 志把快忱扶抉扼找我扼忘扭抉抗把快找扶我技忌把抉?快技批志快抗 ?快忌我找我扭把快忱扼找忘志?快扶快扼忘 4 忱快扯我技忘抖扶快扯我扳把快扭抉扼抖快 '.'. 妥忘抗抉?快我技忘?找快扶忘批技批忱忘戒忘志快抖我抗快忌把抉?快志快把忘戒抖我抗忘批忱快扯我技忘抖扶抉? (折批志忘扶抉? 批忌忘戒我扭抉忱忘找忘抗忘) 我忌我扶忘把扶抉? (抗抉?批抗抉把我扼找我韓誥傭痔扼快把志快把) 技抉忪快批找我扯忘找我扶忘 4. 忱快扯我技忘抖批.

妤把我技快把我:

count(/host/key,10m) #the values for the last 10 minutes until now
       count(/host/key,10m,"like","error") #the number of values for the last 10 minutes until now that contain 'error'
       count(/host/key,10m,,12) #the number of values for the last 10 minutes until now that equal '12'
       count(/host/key,10m,"gt",12) #the number of values for the last 10 minutes until now that are over '12'
       count(/host/key,#10,"gt",12) #the number of values within the last 10 values until now that are over '12'
       count(/host/key,10m:now-1d,"gt",12) #the number of values between 24 hours and 10 minutes and 24 hours ago from now that were over '12'
       count(/host/key,10m,"bitand","6/7") #the number of values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits
       count(/host/key,10m:now-1d) #the number of values between 24 hours and 10 minutes and 24 hours ago from now

countunique(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)

坎把抉? ?快忱我扶扼找志快扶我抒志把快忱扶抉扼找我批忱快扳我扶我扼忘扶抉技扭快把我抉忱批快志忘抖批忘扯我?快.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗快扭忘把忘技快找把快;
抉扭快把忘找抉把 (技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘). 妤抉忱把忪忘扶我 operators:
eq - ?快忱扶忘抗抉 (扭抉忱把忘戒批技快志忘扶抉戒忘 integer, float)
ne - 扶我?快 ?快忱扶忘抗抉
gt - 志快?快抉忱
* ge* - 志快?快我抖我 ?快忱扶忘抗抉抉忱
lt - 技忘?快抉忱
le - 技忘?快我抖我 ?快忱扶忘抗抉抉忱
like (扭抉忱把忘戒批技快志忘扶抉戒忘 string, text, log) - 抉忱忍抉志忘把忘忘抗抉扼忘忱把忪我抉忌把忘戒忘扯 (把忘戒抖我抗批?快志快抖我抗忘我技忘抖忘扼抖抉志忘)
bitand - 忌我找抉志扼抗抉 AND
regexp - 扭抉忱批忱忘把忘?快把快忍批抖忘把扶抉忍我戒把忘戒忘忱忘找抉忍批 批戒抉把扯批
我把快忍快抗扭 - 扭抉忱批忱忘把忘?快把快忍批抖忘把扶抉忍我戒把忘戒忘忱忘找抉忍批 pattern
忌快戒抉忌戒我把忘扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘
抉忌把忘戒忘扯 - 戒忘抒找快志忘扶我抉忌把忘戒忘扯 (忘把忍批技快扶找我扼找把我扶忍抉志忘技抉把忘?批忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘).

妞抉技快扶找忘把我:

Float 扼找忘志抗快扼快扭抉抗抖忘扭忘?批扼忘扭把快扯我戒扶抉扮?批抉忱 2.22e-16;
- like* 扶我?快扭抉忱把忪忘扶抉抗忘抉抉扭快把忘找抉把戒忘扯快抖抉忌把抉?扶快志把快忱扶抉扼找我;
like 我 bitand 扶我扼批扭抉忱把忪忘扶我抗忘抉抉扭快把忘找抉把我戒忘 float 志把快忱扶抉扼找我;
妝忘志把快忱扶抉扼找我 string, text, 我 log 扭抉忱把忪忘扶我扼批扼忘技抉 eq, ne, like, regexp 我 iregexp;
妊忘 bitand 抗忘抉抉扭快把忘找抉把抉技, 折快找志把找我扭忘把忘技快找忘把 pattern 扼快技抉忪快扶忘志快扼找我抗忘抉忱志忘忌把抉?忘, 把忘戒忱志抉?快扶忘扼忘 '/': number_to_compare_with/mask. countunique() 我戒把忘折批扶忘志忘 "忌我找抉志扼抗抉 AND" 我戒志把快忱扶抉扼找我我 技忘扼抗快 我批扭抉把快?批?快把快戒批抖找忘找扼忘 number_to_compare_with. 均抗抉 ?快把快戒批抖找忘找 "忌我找抉志扼抗抉 AND" ?快忱扶忘抗 number_to_compare_with, 志把快忱扶抉扼找扼快把忘折批扶忘.
均抗抉扼批 number_to_compare_with 我 mask ?快忱扶忘抗我, 扭抉找把快忌扶抉 ?快扼忘技抉扶忘志快扼找我 mask (忌快戒 '/').
妊忘 regexp 我抖我 iregexp 抗忘抉抉扭快把忘找抉把抉技, 折快找志把找我扭忘把忘技快找忘把 pattern 技抉忪快忌我找我抉忌我折忘扶我抖我忍抖抉忌忘抖扶我 (抗抉?我扭抉折我?快扼忘 '@') 把快忍批抖忘把扶我我戒把忘戒. 孝扼抖批折忘?批忍抖抉忌忘抖扶我抒把快忍批抖忘把扶我抒我戒把忘戒忘, 抉扼快找?我志抉扼找扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘扼快扶忘扼抖快?批?快我戒扭抉忱快扮忘志忘?忘忍抖抉忌忘抖扶我抒把快忍批抖忘把扶我抒我戒把忘戒忘. 妝忘扭抉找把快忌快扭抉忱批忱忘把忘?忘把快忍批抖忘把扶抉忍我戒把忘戒忘, 志把快忱扶抉扼找我扼忘扭抖批找忘?批?我技志把快忱扶抉扼找我技忘 ?快批志快抗忌我找我扭把快忱扼找忘志?快扶快扼忘 4 忱快扯我技忘抖扶快扯我扳把快扭抉扼抖快 '.'. 妥忘抗抉?快我技忘?找快扶忘批技批忱忘戒忘志快抖我抗快忌把抉?快志快把忘戒抖我抗忘批忱快扯我技忘抖扶抉? (折批志忘扶抉? 批忌忘戒我扭抉忱忘找忘抗忘) 我忌我扶忘把扶抉? (抗抉?批抗抉把我扼找我韓誥傭痔扼快把志快把) 技抉忪快批找我扯忘找我扶忘 4. 忱快扯我技忘抖批.

妤把我技快把我:

countunique(/host/key,10m) #the number of unique values for the last 10 minutes until now
       countunique(/host/key,10m,"like","error") #the number of unique values for the last 10 minutes until now that contain 'error'
       countunique(/host/key,10m,,12) #the number of unique values for the last 10 minutes until now that equal '12'
       countunique(/host/key,10m,"gt",12) #the number of unique values for the last 10 minutes until now that are over '12'
       countunique(/host/key,#10,"gt",12) #the number of unique values within the last 10 values until now that are over '12'
       countunique(/host/key,10m:now-1d,"gt",12) #the number of unique values between 24 hours and 10 minutes and 24 hours ago from now that were over '12'
       countunique(/host/key,10m,"bitand","6/7") #the number of unique values for the last 10 minutes until now having '110' (in binary) in the 3 least significant bits
       countunique(/host/key,10m:now-1d) #the number of unique values between 24 hours and 10 minutes and 24 hours ago from now

find(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)

妤把抉扶忘?我找快扭抉忱批忱忘把忘?快志把快忱扶抉扼找我批忱快扳我扶我扼忘扶抉技扭快把我抉忱批快志忘抖批忘扯我?快.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.
圾把忘?忘: 1 - 扭把抉扶忘?快扶抉; 0 - 我扶忘折快.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快批抉忌我折忘?快扶快扭忘把忘技快找把快;
sec 我抖我 #num (抉扭扯我抉扶抉) - 扭抉忱把忘戒批技快志忘扶忘 ?快扶忘?扶抉志我?忘志把快忱扶抉扼找忘抗抉扶我?快扶忘志快忱快扶忘
operator (技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘). 妤抉忱把忪忘扶我 operators:
eq - ?快忱扶忘抗抉 (扭抉忱把忘戒批技快志忘扶抉戒忘 integer, float)
ne - 扶我?快 ?快忱扶忘抗抉
gt - 志快?快抉忱
ge - 志快?快我抖我 ?快忱扶忘抗抉
lt - 技忘?快抉忱
le - 技忘?快我抖我 ?快忱扶忘抗抉
like (扭抉忱把忘戒批技快志忘扶抉戒忘 string, text, log) - 抉忱忍抉志忘把忘忘抗抉扼忘忱把忪我扼找把我扶忍忱忘找批 pattern (抉扼快找?我志抉扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘)
* bitand* - 扭抉忌我找抉志扼抗抉技 AND
* regexp* - 扭抉忱批忱忘把忘?快把快忍批抖忘把扶抉忍我戒把忘戒忘忱忘找抉忍批 pattern
* iregexp* - 扭抉忱批忱忘把忘?快把快忍批抖忘把扶抉忍我戒把忘戒忘忌快戒抉忌戒我把忘扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘批 pattern
** pattern** - 找把忘忪快扶我抉忌把忘戒忘扯 (忘把忍批技快扶找我扼找把我扶忍抉志忘技抉把忘?批忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘); (PCRE) 把快忍批抖忘把扶我我戒把忘戒忘抗抉 ?快 operator regexp, iregexp.

妞抉技快扶找忘把我:

均抗抉扼快抉忌把忘忱我志我扮快抉忱 ?快忱扶快志把快忱扶抉扼找我, '1' 扼快志把忘?忘忘抗抉扭抉扼找抉?我忌忘把 ?快忱扶忘抉忱忍抉志忘把忘?批?忘志把快忱扶抉扼找;
like 扶我?快扭抉忱把忪忘扶抉抗忘抉抉扭快把忘找抉把戒忘扯快抖抉忌把抉?扶快志把快忱扶抉扼找我;
like 我 bitand 扶我扼批扭抉忱把忪忘扶我抗忘抉抉扭快把忘找抉把我戒忘 float 志把快忱扶抉扼找我;
妝忘 string, text, and log 志把快忱扶抉扼找我扭抉忱把忪忘扶我扼批扼忘技抉抉扭快把忘找抉把我 eq, ne, like, regexp 我 iregexp;
妊忘 regexp 我抖我 iregexp 抗忘抉抉扭快把忘找抉把抉技, 折快找志把找我扭忘把忘技快找忘把 pattern 技抉忪快忌我找我抉忌我折忘扶我抖我忍抖抉忌忘抖扶我 (抗抉?我扭抉折我?快扼忘 '@') 把快忍批抖忘把扶我我戒把忘戒. 孝扼抖批折忘?批忍抖抉忌忘抖扶我抒把快忍批抖忘把扶我抒我戒把忘戒忘, 抉扼快找?我志抉扼找扶忘志快抖我抗忘我技忘抖忘扼抖抉志忘扼快扶忘扼抖快?批?快我戒扭抉忱快扮忘志忘?忘忍抖抉忌忘抖扶抉忍把快忍批抖忘把扶抉忍我戒把忘戒忘.

妤把我技快把:

find(/host/key,10m,"like","error") #find a value that contains 'error' within the last 10 minutes until now

first(/host/key,sec<:time shift>)

妤把志忘 (扶忘?扼找忘把我?忘) 志把快忱扶抉扼找批忱快扳我扶我扼忘扶抉技扭快把我抉忱批快志忘抖批忘扯我?快.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我.

妥忘抗抉?快扭抉忍抖快忱忘?找快 last().

妤把我技快把:

first(/host/key,1h) #retrieve the oldest value within the last hour until now

fuzzytime(/host/key,sec)

妤把抉志快把我找快抗抉抖我抗抉扼快志把快技快扭忘扼我志扶抉忍忘忍快扶找忘把忘戒抖我抗批?快抉忱志把快技快扶忘韓誥傭痔扼快把志快把忘/扭把抉抗扼我?忘.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer.
圾把忘?忘: 1 - 把忘戒抖我抗忘我戒技快?批志把快忱扶抉扼找我扭忘扼我志扶快扼找忘志抗快 (抗忘抉志把快技快扶扼抗快抉戒扶忘抗快) 我志把快技快扶扼抗快抉戒扶忘抗快韓誥傭痔扼快把志快把忘/扭把抉抗扼我?忘 (扼忘找扭把我抗批扭?忘?忘志把快忱扶抉扼找我) ?快技忘?忘我抖我 ?快忱扶忘抗忘抉忱 sec 扼快抗批扶忱我; 0 - 我扶忘折快.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗快扭忘把忘技快找把快.

妞抉技快扶找忘把我:

妍忌我折扶抉扼快抗抉把我扼找我扼忘扼找忘志抗抉技 'system.localtime' 戒忘扭把抉志快把批忱忘抖我 ?快抖抉抗忘抖扶抉志把快技快扼我扶抒把抉扶我戒抉志忘扶抉扼忘抖抉抗忘抖扶我技志把快技快扶抉技韓誥傭痔扼快把志快把忘. 妒技忘?找快扶忘批技批 忱忘 'system.localtime' 技抉把忘忌我找我抗抉扶扳我忍批把我扼忘扶忘抗忘抉扭忘扼我志扶忘扭把抉志快把忘.
妙抉忪快扼快抗抉把我扼找我找我我扼忘抗?批折快技 vfs.file.time[/path/file,modify] 忱忘扼快扭把抉志快把我忱忘抖我忱忘找抉找快抗忘扶我?快忱抉忌我?忘抖忘忘忪批把我把忘?忘忱批忪快志把快技快;
妍志忘扳批扶抗扯我?忘扼快扶快扭把快扭抉把批折批?快戒忘抗抉把我扮?快?快批扼抖抉忪快扶我技我戒把忘戒我技忘抉抗我忱忘折忘 (扼忘批抗?批折快扶我技志我扮快扼找忘志抗我), ?快把技抉忪快忱忘我戒忘戒抉志快扶快抉折快抗我志忘扶快把快戒批抖找忘找快 (志把快技快扶扼抗忘把忘戒抖我抗忘 ?快扼快技快把我找我扶忘?扶抉志我?抉技技快找把我抗抉技), 扶扭把., 批 fuzzytime(/Host/system.localtime,60s)=0 or last(/Host/trap)<>0.

妤把我技快把:

fuzzytime(/host/key,60s)=0 #抉找抗把我志忘扭把抉忌抖快技忘抗抉 ?快志把快技快扶扼抗忘把忘戒抖我抗忘志快?忘抉忱 60 扼快抗批扶忱我

last(/host/key,<#num<:time shift>>)

妖忘?扶抉志我?忘志把快忱扶抉扼找.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer, String, Text, Log.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
#num (抉扭扯我抉扶抉) - N-找忘扶忘?扶抉志我?忘志把快忱扶抉扼找.

妞抉技快扶找忘把我:

妒技忘?找快扶忘批技批忱忘志把快技快扶扼抗我扭快把我抉忱抉戒扶忘折快扶抒快扮抉技 (#N) 抉志忱快扳批扶抗扯我抉扶我扮快忱把批忍忘折我?快扶快忍抉抗抉忱技扶抉忍我抒忱把批忍我抒扳批扶抗扯我?忘. 妖忘扭把我技快把: last(/host/key) ?快批志快抗 ?快忱扶忘抗抉 last(/host/key,#1); last(/host/key,#3) - 找把快?忘扶忘?扶抉志我?忘志把快忱扶抉扼找 (not 找把我扭抉扼抖快忱?快志把快忱扶抉扼找我);
韓誥傭痔扶快忍忘把忘扶找批?快找忘折忘扶把快忱抉扼抖快忱志把快忱扶抉扼找我忘抗抉扭抉扼找抉?我志我扮快抉忱忱志快志把快忱扶抉扼找我批 ?快忱扶抉? 扼快抗批扶忱我批我扼找抉把我?我;
妤抉忍抖快忱忘?找快找忘抗抉?快 first().

妤把我技快把:

last(/host/key) #retrieve the last value
       last(/host/key,#2) #retrieve the previous value
       last(/host/key,#1) <> last(/host/key,#2) #the last and previous values differ

logeventid(/host/key,<#num<:time shift>>,<pattern>)

妤把抉志快把我找快忱忘抖我扼快 ID 忱抉忍忘?忘?忘扭抉扼抖快忱?快忍批扶抉扼忘批快志我忱快扶扯我?我扭抉忱批忱忘把忘扼忘把快忍批抖忘把扶我技我戒把忘戒抉技.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Log.
圾把忘?忘: 0 - 扶快抉忱忍抉志忘把忘; 1 - 抉忱忍抉志忘把忘.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
#num (抉扭扯我抉扶抉) - N-找忘扶忘?扶抉志我?忘志把快忱扶抉扼找;
pattern (抉扭扯我抉扶抉) - 把快忍批抖忘把扶我我戒把忘戒抗抉?我抉扭我扼批?快扭抉找把快忌忘扶抉忌把忘戒忘扯, 扼找我抖 (PCRE) (扼找把我扶忍忘把忍批技快扶忘找忘技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘).

logseverity(/host/key,<#num<:time shift>>)

妍戒忌我?扶抉扼找忱扶快志扶我抗忘扭抉扼抖快忱?快忍批扶抉扼忘批忱扶快志扶我抗.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Log.
圾把忘?忘: 0 - 扭抉忱把忘戒批技快志忘扶忘抉戒忌我?扶抉扼找; N - 抉戒忌我?扶抉扼找 (扯快抉忌把抉?, 抗抉把我扼扶抉戒忘 Windows 忱抉忍忘?忘?快: 1 - 妒扶扳抉把技忘扯我?快, 2 - 孝扭抉戒抉把快?快, 4 - 坐把快扮抗忘, 7 - 妖快批扼扭快抖忘扭把抉志快把忘, 8 - 孝扼扭快扮扶忘扭把抉志快把忘, 9 - 妞把我找我折扶忘, 10 - 坏快找忘?扶抉).

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
#num (抉扭扯我抉扶抉) - N-找忘扶忘?扶抉志我?忘志把快忱扶抉扼找.

妝忘忌忌我抗扭把快批戒我技忘抉戒忌我?扶抉扼找快志我忱快扶扯我?快我戒扭抉?忘 妒扶扳抉把技忘扯我?快 Windows 快志我忱快扶扯我?快忱抉忍忘?忘?忘.

logsource(/host/key,<#num<:time shift>>,<pattern>)

妤把抉志快把忘志忘忱忘抖我我戒志抉把快志我忱快扶扯我?快扭抉扼抖快忱?快忍批扶抉扼忘忱扶快志扶我抗忘抉忱忍抉志忘把忘把快忍批抖忘把扶抉技我戒把忘戒批.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: * Log*.
圾把忘?忘: 0 - 扶快抉忱忍抉志忘把忘; 1 - 抉忱忍抉志忘把忘.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗快扭忘把忘技快找把快;
#num (抉扭扯我抉扶抉) - N-找忘扶忘?扶抉志我?忘志把快忱扶抉扼找;
** pattern** (抉扭扯我抉扶抉) - 把快忍批抖忘把扶我我戒把忘戒抗抉?我抉扭我扼批?快扭抉找把快忌忘扶抉忌把忘戒忘扯, (PCRE) 扼找我抖 (扼找把我扶忍忘把忍批技快扶找我技抉把忘?批忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘).

妍忌我折扶抉扼快抗抉把我扼找我戒忘 Windows 快志我忱快扶扯我?快忱抉忍忘?忘?忘.

妤把我技快把:

logsource(/host/key,,"VMware Server")

monodec(/host/key,(sec|#num)<:time shift>,<mode>)

妤把抉志快把我找快忱忘抖我 ?快忱抉扮抖抉忱抉技抉扶抉找抉扶抉忍扭忘忱忘志把快忱扶抉扼找我.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Integer.
圾把忘?忘: 1 - 忘抗抉扼快扼志我快抖快技快扶找我批志把快技快扶扼抗抉技扭快把我抉忱批抗抉扶找我扶批我把忘扶抉扼技忘?批?批; 0 - 我扶忘折快.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
mode (技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘) - weak (扼志忘抗忘志把快忱扶抉扼找 ?快技忘?忘我抖我我扼找忘抗忘抉扭把快找抒抉忱扶忘; 扭抉忱把忘戒批技快志忘扶抉) 我抖我 * strict* (扼志忘抗忘志把快忱扶抉扼找 ?快扼技忘?快扶忘).

妤把我技快把:

monodec(/Host1/system.swap.size[all,free],60s) + monodec(/Host2/system.swap.size[all,free],60s) + monodec(/Host3/system.swap.size[all,free],60s) #calculate in how many hosts there has been a decrease in free swap size

monoinc(/host/key,(sec|#num)<:time shift>,<mode>)

妤把抉志快把我找快忱忘抖我 ?快忱抉扮抖抉忱抉技抉扶抉找抉扶抉忍扭抉志快?忘?忘志把快忱扶抉扼找我.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: * Integer*.
圾把忘?忘: 1 - 忘抗抉扼快扼志我快抖快技快扶找我批志把快技快扶扼抗抉技扭快把我抉忱批抗抉扶找我扶批我把忘扶抉扭抉志快?忘志忘?批; 0 - 我扶忘折快.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
mode (技抉把忘忌我找我扭抉忱忱志抉扼找把批抗我技扶忘志抉忱扶我扯我技忘) - weak (扼志忘抗忘志把快忱扶抉扼找 ?快志快?忘我抖我我扼找忘抗忘抉扭把快找抒抉忱扶忘; 扭抉忱把忘戒批技快志忘扶抉) 我抖我 * strict* (扼志忘抗忘志把快忱扶抉扼找 ?快扭抉志快?忘扶忘).

妤把我技快把:

monoinc(/Host1/system.localtime,#3,"strict")=0 #check if the system local time has been increasing consistently

nodata(/host/key,sec,<mode>)

妤把抉志快把我找快忱忘扶快技忘扭把我技?快扶我抒扭抉忱忘找忘抗忘.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Integer, Float, Character, Text, Log.
圾把忘?忘: 1 - 忘抗抉扶我扼批扭把我技?快扶我扭抉忱忘扯我找抉抗抉技忱快扳我扶我扼忘扶抉忍志把快技快扶扼抗抉忍扭快把我抉忱忘; 0 - 我扶忘折快.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗快扭忘把忘技快找把快;
sec - 扭快把我抉忱扶快忌我找把快忌忘抖抉忱忘忌批忱快抗把忘?我抉忱 30 扼快抗批扶忱我 ?快把扭把抉扯快扼扼我扶抒把抉扶我戒忘扯我?快我扼找抉把我?快我戒把忘折批扶忘志忘抉志批扳批扶抗扯我?批扼忘技抉扼志忘抗我抒 30 扼快抗批扶忱我; nodata(/host/key,0) ?快扶快忱抉戒志抉?快扶抉.
** mode** - 忘抗抉 ?快扭抉扼找忘志?快扶抉扶忘 strict (忱志抉扼找把批抗我扶忘志抉忱扶我扯我), 抉志忘扳批扶抗扯我?忘 ?快忌我找我扶快抉扼快找?我志忘扶忘忱抉扼找批扭扶抉扼找扭把抉抗扼我?忘 (扭抉忍抖快忱忘?找快抗抉技快扶找忘把快戒忘忱快找忘?快).

妞抉技快扶找忘把我:

抉抗我忱忘折我 'nodata' 抗抉?快扶忘忱忍抖快忱忘扭把抉抗扼我扼批, 扭抉忱把忘戒批技快志忘扶抉, 抉扼快找?我志我扶忘忱抉扼找批扭扶抉扼找扭把抉抗扼我?忘 - 忘抗抉扭把抉抗扼我扭抉扼找忘扶快扶快忱抉扼找批扭忘扶, 抉抗我忱忘折我 'nodata' 扼快扶快?快扭抉抗把快扶批找我抉忱技忘抒扶忘抗抉扶抉忌扶忘志?忘?忘志快戒快, 志快? ?快扭把快扼抗抉折我找我扭抉忱忘找抗快戒忘抉忱抖抉忪快扶我扭快把我抉忱. 妒技忘?找快扶忘批技批忱忘扼快戒忘扭忘扼我志扶快扭把抉抗扼我?快扭抉找我扼抗我志忘?快忘抗找我志我把忘忘抗抉扼快志快戒忘扭抉扶抉志抉批扼扭抉扼找忘志我戒忘志我扮快抉忱 15 扼快抗批扶忱我我扶快技忘?快抉忱 2 扼快抗批扶忱快抗忘扼扶我?快. 妝忘忘抗找我志扶快扭把抉抗扼我?快扼批戒忌我?忘?快扼快忘抗找我志我把忘忘抗抉扼快志快戒忘批扼扭抉扼找忘志我志我扮快抉忱 15 扼快抗批扶忱我抗忘扼扶我?快. 坏忘忌我扼找快我扼抗?批折我抖我抉扼快找?我志抉扼找扶忘忱抉扼找批扭扶抉扼找扭把抉抗扼我?忘, 抗抉把我扼找我找快找把快?我扭忘把忘技快找忘把, 扶扭把.: nodata(/host/key,5m,"strict"); 批抉志抉技扼抖批折忘?批扳批扶抗扯我?忘 ?快扼快扭抉抗把快扶批找我折我技扭把抉?快扭快把我抉忱快志忘抖批忘扯我?快 (扭快找技我扶批找忘) 忌快戒扭抉忱忘找忘抗忘.
妍志忘扳批扶抗扯我?忘 ?快扭把我抗忘戒忘找我忍把快扮抗批忘抗抉批抉抗志我把批扭快把我抉忱忘扭把志抉忍扭忘把忘技快找把忘:
- 扶快技忘扭抉忱忘找忘抗忘我韓誥傭痔扼快把志快把 ?快扭抉扶抉志抉扭抉抗把快扶批找
- 扶快技忘扭抉忱忘找忘抗忘我抉忱把忪忘志忘?快 ?快戒忘志把扮快扶抉
- 扶快技忘扭抉忱忘找忘抗忘我扼找忘志抗忘 ?快忱抉忱忘找忘我抖我扭抉扶抉志抉抉技抉忍批?快扶忘
坐把快扮抗快扼快扭把我抗忘戒批?批批抗抉抖抉扶我 妒扶扳抉把技忘扯我?快 批抉抗我忱忘折批抗抉扶扳我忍批把忘扯我?忘;
妍志忘扳批扶抗扯我?忘技抉忪忱忘扶快?快我扼扭把忘志扶抉把忘忱我找我忘抗抉扭抉扼找抉?快志把快技快扶扼抗快把忘戒抖我抗快我戒技快?批韓誥傭痔扼快把志快把忘, 扭把抉抗扼我?忘我忘忍快扶找忘. 妥忘抗抉?快扭抉忍抖快忱忘?找快: 孝扼抖抉志戒忘志把快技快扶扼抗批扼我扶抒把抉扶我戒忘扯我?批;
孜批扶抗扯我?忘 nodata() 扼快扶快技抉忪快抗抉把我扼找我找我批我戒把忘戒批扼忘技忘; 扶忘?技忘?快 ?快忱扶忘扳批扶抗扯我?忘我戒忱把批忍快忍把批扭快, 抗抉?忘批扭批?批?快扶忘扼找忘志抗批忱抉技忘?我扶忘, 技抉把忘忌我找我批抗?批折快扶忘批我戒把忘戒 (抉扼我技扳批扶抗扯我?忘戒忘忱忘找批技我志把快技快). 妝忘忱快找忘?扶快我扶扳抉把技忘扯我?快抉找抉技快抗忘抗抉扳批扶抗扯我?忘 nodata() 扳批扶抗扯我抉扶我扮快批扶批找忘把我戒把忘戒忘, 扭抉忍抖快忱忘?找快圾把快技快我戒把忘折批扶忘志忘?忘.

percentile(/host/key,(sec|#num)<:time shift>,percentage)

P-找我扭快把扯快扶找我抖扭快把我抉忱忘, 忍忱快 ?快 P (扭把抉扯快扶忘找) 抉忱把快?快扶找把快?我技扭忘把忘技快找把抉技.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我;
percentage - a floating-point number between 0 and 100 (inclusive) with up to 4 digits after the decimal point.

rate(/host/key,sec<:time shift>)

妤把抉扼快折扶忘扼找抉扭忘扭抉志快?忘?忘技抉扶抉找抉扶抉把忘扼找批?快忍忌把抉?忘折忘批扼快抗批扶忱我批抉抗志我把批忱快扳我扶我扼忘扶抉忍志把快技快扶扼抗抉忍扭快把我抉忱忘.
妤抉忱把忪忘扶我找我扭抉志我志把快忱扶抉扼找我: Float, Integer.

妤忘把忘技快找把我:

妤抉忍抖快忱忘?找快戒忘?快忱扶我折抗我扭忘把忘技快找把我.

孜批扶抗扯我抉扶忘抖扶抉抉忱忍抉志忘把忘 '' 抉忱 PromQL.

妤把我技快把:

rate(/host/key,30s) #if the monotonic increase over 30 seconds is 20, this function will return 0.67.

妤抉忍抖快忱忘?找快扼志快扭抉忱把忪忘扶快扳批扶抗扯我?快.

韓誥傭痔

Documentation

4 孜批扶抗扯我?快 我扼找抉把我?快

妝忘?快忱扶我折抗我 扭忘把忘技快找把我

坏快找忘?我 扳批扶抗扯我?快

change(/host/key)

changecount(/host/key,(sec|#num)<:time shift>,<mode>)

count(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)

countunique(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)

find(/host/key,(sec|#num)<:time shift>,<operator>,<pattern>)

first(/host/key,sec<:time shift>)

fuzzytime(/host/key,sec)

last(/host/key,<#num<:time shift>>)

logeventid(/host/key,<#num<:time shift>>,<pattern>)

logseverity(/host/key,<#num<:time shift>>)

logsource(/host/key,<#num<:time shift>>,<pattern>)

monodec(/host/key,(sec|#num)<:time shift>,<mode>)

monoinc(/host/key,(sec|#num)<:time shift>,<mode>)

nodata(/host/key,sec,<mode>)

percentile(/host/key,(sec|#num)<:time shift>,percentage)

rate(/host/key,sec<:time shift>)

4 孜批扶抗扯我?快我扼找抉把我?快

妝忘?快忱扶我折抗我扭忘把忘技快找把我

坏快找忘?我扳批扶抗扯我?快