Enrich your queries with additional terms. Refer to the table below for examples.
FUNCTION |
EXAMPLE |
Time ranges: Month, day, hour |
jKQL> Get events for this month |
Group by: Creates a row for each unique set of values for columns being grouped on |
jKQL> Get events fields location where eventname contains 'order' group by location show as barchart |
Buckets: Bucketing allows multiple “group by” result rows to be combined into a single result row. Used when a "group by" statement returns too much data. Bucketing can only be applied to INTEGER, DECIMAL, TIMESTAMP, and TIMEINTERVAL data types. |
jKQL> Get number of events group by starttime bucketed by minute show as anomalychart jKQL> Get number of activities group by snapshotcount bucketed by size 7 show as histogram jKQL> Get number of activities group by eventcount bucketed by count 3 show as table |
Locations: Geolocation |
jKQL> Get Event for This Month where Location ='London, England' |
Sort by: Sort data |
jKQL> Get Activities from 'Purchasing' for today sort by ElapsedTime desc |
Order by: Sort data in ascending (asc) or descending (desc) order |
jKQL> Get Events order by eventID desc |
Last: Filter data for a specified time range |
jKQL> Get number of events for last 5 days |
Latest: Starts filtering from latest time period, which includes displayable data. This differs from "last" which could return nothing, as there may not be any events in the last x time period specified. |
jKQL> Get number of events for latest 5 days group by starttime bucketed by day, severity show as stackchart |
Find: Search data |
jKQL> Find 'order' in Activities jKQL> Find 'critical' in Events |
Filter: Filter viewlet data. Use the expression, “where <item_type>=${E:<item_type>:<item>:<item_type>}” |
jKQL> Get number of Event where EventType = ${E:event type:Event:EventType} group by Severity show as colchart jKQL> Get relative where RelativeType = ${E:Relative Type:Relative:RelativeType} show as topology → get Relative where RelativeType = ‘SendTo’ show as topology jKQL> Get event containing all of ${SM:<filter_name>} show as table jKQL> Get Event where Severity = ${E:severity:Event:Severity} AND ElapsedTime > ${V:etime} AND CompCode >= ${E:compcode:Event:CompCode} show as table * The “AND” expression can be used to apply multiple variables |
Reported: Filters the data reported during a specified time range (today, yesterday, last 5 weeks, etc.) |
jKQL> Get events reported today |
Received: Filters the data received during a specified time range |
jKQL> Get events received within last 20 minutes |
Created: Filters the data created during a specified time range |
jKQL> Get users created today |
Updated: Filters the data updated during a specified time range |
jKQL> Get activities updated this week |
Started: Filters the data started during a specified time range |
jKQL> Get activities started last week |
Ended: Filters the data ended during a specified time range |
jKQL > Get events ended today |
Prop: Tests the existence of properties |
jKQL> Get for today where prop exists |
Enumeration: Generate the Severity, CompCode, ResourceType, SourceType, EventType, RelativeType, JobStatus, ItemType, ChildType, ParentType or SetScope table to get the IDs of these items and to use them in queries instead of typing the entire name |
jKQL> Get enumeration for severity |
Fields: Generates a table of fields, related to the noted item or a table with a list of field names and their data types, only if “get fields” was queried |
jKQL> Get fields for events jKQL> Get fields |
Compare fields: specify the item and the fields you want to get, then write the equality or inequality formula of comparison to perform. For example, you can compare StartTime and UploadTime (the items must be of the same data type). |
jKQL> Get event fields StartTime, UploadTime where StartTime >= UploadTime show as table |
Use the jKQL query “get itemtypes” to display a table of item types and their characteristics.