Filtering commands
dedup
Removes duplicates from a list of records.
You can use a field name or expression for deduplication. The output of the dedup command will have the same number of records as there are unique values in the given field or expression.
The original order of the records is not preserved. Therefore, by default the sequence of records that are chosen during deduplication is random. If you want to pick a particular record out of the duplicates, you can use the sort parameter.
The count of records following the dedup command will be identical to the count of records following the summarize command. The summarize command groups together records with the same values for a given field and aggregates them, whereas dedup removes duplicate values from a list of records.
Syntax
dedup expr, [expr...], [sort:expr [asc|desc], [....expr [asc|desc]]]
Basic examples
Example 1: Show all locations
In the following example, the input for the dedup command are records that show the number of bookings and their locations historically. The dedup command removes duplicate records based on the field location and keeps a random record per unique location.
data record(timestamp = 1, location = "Vienna", bookings = 1254),record(timestamp = 1, location = "London", bookings = 4564),record(timestamp = 2, location = "Vienna", bookings = 1457),record(timestamp = 2, location = "London", bookings = 8741),record(timestamp = 3, location = "Vienna", bookings = 1654)| dedup location
Query result:
| timestamp | location | bookings |
|---|---|---|
1 | London | 4,564 |
1 | Vienna | 1,254 |
Example 2: Bookings per location
In the following example, the input for the dedup command are records that show the number of bookings and their locations historically. The dedup command removes duplicate records based on the field location and for each location keeps the record with the latest timestamp.
data record(timestamp = 1, location = "Vienna", bookings = 1254),record(timestamp = 1, location = "London", bookings = 4564),record(timestamp = 2, location = "Vienna", bookings = 1457),record(timestamp = 2, location = "London", bookings = 8741),record(timestamp = 3, location = "Vienna", bookings = 1654)| dedup location, sort: { timestamp desc }
Query result:
| timestamp | location | bookings |
|---|---|---|
2 | London | 8,741 |
3 | Vienna | 1,654 |
Practical example
Example: List currently open vulnerabilities
The following example shows the currently open vulnerabilities. Because vulnerabilities are stored as snapshot, the dedup command is used to retrieve the most recent snapshot of a vulnerability.
fetch events| filter event.provider == "Dynatrace"| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"| filter event.level== "VULNERABILITY"| filter vulnerability.resolution.status == "OPEN"| filter vulnerability.mute.status != "MUTED"| dedup vulnerability.display_id, sort: { timestamp desc }
filter
Reduces the number of records in a list by keeping only those records that match the specified condition.
Syntax
filter condition [, input]
Basic examples
Example 1: Filter on one condition
The following query uses the filter command to filter on the field event.
data record(event = "search failed", prodId = 5, qty = 6, host = "A"),record(event = "product found", prodId = 3, qty = 3, host = "A"),record(event = "search failed", prodId = 4, qty = 7, host = "B"),record(event = "search failed", prodId = 2, qty = 7, host = "C")| filter event == "search failed"
Query result:
| event | prodId | qty | host |
|---|---|---|---|
search failed | 5 | 6 | A |
search failed | 4 | 7 | B |
search failed | 2 | 7 | C |
Example 2: Filter on multiple conditions
The following query uses the filter command to filter records based on evaluating multiple conditions.
Logical operators connect the conditions.
data record(event = "search failed", prodId = 5, qty = 6, host = "A"),record(event = "product found", prodId = 3, qty = 3, host = "A"),record(event = "search failed", prodId = 4, qty = 7, host = "B"),record(event = "search failed", prodId = 2, qty = 7, host = "C")| filter in(host, array("B", "C")) or prodId == 3
Query result:
| event | prodId | qty | host |
|---|---|---|---|
product found | 3 | 3 | A |
search failed | 4 | 7 | B |
search failed | 2 | 7 | C |
Practical example
Example: Filter for critical logs
The following example uses the fetch command to load data from logs.
The filter command keeps only error records containing the string failed in the content field.
fetch logs| filter loglevel == "ERROR" and matchesPhrase(content, "failed")
filterOut
Removes records that match a specific condition.
Syntax
filterOut condition [, input]
Basic examples
Example 1: Filter out by one condition
The following query uses the filterOut command to remove records based on the field event.
data record(event = "search failed", prodId = 5, qty = 6, host = "A"),record(event = "product found", prodId = 3, qty = 3, host = "A"),record(event = "search failed", prodId = 4, qty = 7, host = "B"),record(event = "search failed", prodId = 2, qty = 7, host = "C")| filterOut event == "product found"
Query result:
| event | prodId | qty | host |
|---|---|---|---|
search failed | 5 | 6 | A |
search failed | 4 | 7 | B |
search failed | 2 | 7 | C |
Example 2: Filter out by multiple conditions
The following query uses the filterOut command to remove records based on evaluating multiple conditions.
Logical operators connect the conditions.
data record(event = "search failed", prodId = 5, qty = 6, host = "A"),record(event = "product found", prodId = 3, qty = 3, host = "A"),record(event = "search failed", prodId = 4, qty = 7, host = "B"),record(event = "search failed", prodId = 2, qty = 7, host = "C")| filterOut host == "A" and qty > 3 or prodId == 4
Query result:
| event | prodId | qty | host |
|---|---|---|---|
product found | 3 | 3 | A |
search failed | 2 | 7 | C |
Practical example
Example: Filter out informational logs
The following example uses the fetch command to load data from logs.
The filterOut command removes records with a loglevel value of NONE or INFO.
fetch logs| filterOut loglevel == "NONE" or loglevel == "INFO"