addfields

`addfields`

Use the addfields command to generate aggregated data within groups identified by any grouping command such as stats, link, or timestats. The output of the command includes one field for each aggregation in the stats sub-query.

You can use addfields command with the run time fields that are generated using stats, eventstats, and eval commands.

Syntax

addfields <subquery> [, <subquery>]

where subquery can be expanded as follows: [ <logical_expression> / <boolean_expression> | <eventstats_functions> / <stats_functions> ]

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter	Description
`logical_expression`, `boolean_expression`	Each sub-query must begin with a logical or a boolean expression to select a subset of data within each group. See search and where for details on the expressions.
`eventstats_functions`	The eventstats functions to apply on group properties. See eventstats for the details on the available functions.
`stats_functions`	The stats functions to apply on the selected data. See stats for details on the available functions.

The addfields command can be used in the following modes:

For fields that are found in the log file:
```
addfields [ <field> | stats ...]
```
For fields that are created outside of link using eval:
```
addfields [ * | where <field> | stats ...]
```
For fields that are created inside link using a stats, eventstats or eval:
```
addfields [ * | where <field> | eventstats ...]
```

For examples of using this command in typical scenarios, see:

The following commands return counts based on entity name pattern for each entity type:

* | link 'Entity Type' 
| addfields 
    [ substr(Entity, 0, 3) = 'adc' | stats count as 'ADC Count' ], 
    [ substr(Entity, 0, 3) = 'slc' | stats count as 'SLC Count']

* | stats count by 'Entity Type' 
| addfields 
    [ substr(Entity, 0, 3) = 'adc' | stats count as 'ADC Count' ], 
    [ substr(Entity, 0, 3) = 'slc' | stats count as 'SLC Count']

The following commands return counts based on entity name pattern for each entity type:

* | link 'Entity Type' 
| stats avg('Content Size') as 'Content Size', earliest(Severity) as Severity 
| addfields 
    [ * | where 'Entity Type' = 'Cluster Database'     
        | sort 'Content Size' 
        | eventstats first('Content Size') by Severity 
    ]

* | stats avg('Content Size') as 'Content Size', earliest(Severity) as Severity by 'Entity Type'  
| addfields 
    [ * | where 'Entity Type' = 'Cluster Database' 
        | sort 'Content Size' 
        | eventstats first('Content Size') by Severity ]

Identify the last event using the row number:

'Log Source' = 'Database Alert Logs' and Label != null and Entity = MyDB
| rename Entity as Database
| link span = 1minute Time, Database, Label
| sort Database, 'Start Time'
| eventstats rownum as 'Row Number' by Database
| addfields
   [ * | where Label = 'Abnormal Termination'
       | eventstats last('Row Number') as 'Crash Row'
   ]

Oracle Cloud Infrastructure Documentation