updatetable
Use the updatetable command to update an existing table created using
the createtable command. You can apply a sub-query or an
eval expression to the table, and show or hide fields. This command
works only in the link visualization.
Syntax:
updatetable name = <name> <subquery>Parameters
The following table lists the parameters used in this command, along with their descriptions.
| Parameter | Description |
|---|---|
name |
Name of the table, as used in the
|
subquery |
The sub-query to apply on the tabulated data. |
The following command calculates the average content size in GB and adds
the new column Avg Content Size (GB) to the table:
* | link Entity, Severity
| eventstats avg('Content Size') as 'Avg Content Size' by Severity
| createtable name = 'Size By Severity' select Severity, 'Avg Content Size'
| updatetable name = 'Size By Severity' [
*| eval 'Avg Content Size (GB)' = unit('Avg Content Size' / 1024 / 1024, GB)]The following command summarizes the top 3 average content sizes:
* | link Entity, Severity
| eventstats avg('Content Size') as 'Avg Content Size' by Severity
| createtable name = 'Size By Severity' select Severity, 'Avg Content Size'
| updatetable name = 'Size By Severity' [ Severity != Info | top limit = 3 'Avg Content Size' ]