funtion – an operation that is applied on the results of the search preceding the pipe. For exampleAvailable functions: sum count, avg min, max, min, count avg, sum, time, start time, end time, country, country code, city, region, execute
group – grouping of results by a specific group type, such as columns, logs, servers, files, or applications. For example Available Group operations: group by, interval
view – specifies how to display the results. For example: Available View operations: first, last, order by,display, where, display only, geoip, asc, desc, display first 10, display specific columns
- Grouping can only be according to a single group type. However, the group type can have a single or multiple variables.
- A function must precede grouping, although it does not necessarily have to immediately precede it – view can come between the function and group command.
- There can be multiple View types.
- The Complex Search Syntax is iterative.