Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Command Types

There are 3 primary types of commands.

  • Source commands produce a stream of events on their own. They must be used as the first command in a search.
    • These commands will spawn a pool of workers to perform operations in parallel
  • Stage commands perform an operation on a single event
    • These commands will not spawn any additional workers
  • Blocking commands aggregate multiple events into a single event. These commands may block the stream of events until they have enough data to produce an output event.
    • These commands will spawn a pool of workers to perform operations in parallel

Syntax Notes

Comments can be added anywhere whitespace is accepted by enclosing text in backticks:

select web `limit to 404s` status=404
| stats count by host

Comments are ignored by the search parser and cannot contain another backtick.