tstack / lnav

Log file navigator
http://lnav.org
BSD 2-Clause "Simplified" License
7.95k stars 319 forks source link

What do histograms mean at SQL-result window and how to disable them? #514

Closed slavniyteo closed 6 years ago

slavniyteo commented 6 years ago

Hi, thank you for this awesome tool.

I like new SQL feature and use it a lot. But histograms at the sql-results window look weird. I can't understand what exactly do they mean.

For example, at this request:

SELECT SRC, DPT, count(*) from logline group by SRC, DPT;

image

Sometimes I want to disable histograms when I want to show sql results to my collegue but I can't find how.

UPD: I got it. Yellow mean value of DPT column and Green mean value of count(*) column. Is there any way to customize them? For example, it may be useful to draw histograms based on count(*) only.

tstack commented 6 years ago

The bars are a visualization of the numeric columns in the results. In this case, the DPT value is the yellowish bar and the count(*) is the green bar. The fourth row with a DPT value of 62642 is probably the highest value seen for that column since the bar reaches all the way to the right, the other yellow bars are then sized relative to that. By default, the bars are stacked and shown together, pressing TAB will cycle through each column. There is no option to turn off the bars at the moment.

slavniyteo commented 6 years ago

Thank you for answer.

This visualization may be very useful in some cases, but not always. Especially whep tcp ports and aggregation functions are mixed together =)

I keep this issue open as feature request.

tstack commented 6 years ago

Ah, so DPT is a port number? Can I ask where the column came from? If it's from a custom log format, you can set -- "foreign-key": true -- for the value definition in the format file and it won't be graphed anymore. If it's from a search table, I don't think there's a way to disable graphing at the moment...

slavniyteo commented 6 years ago

DPT is a port number and as you can see, it is decimal because it is parsed from a search table. But I used it as an example and now I work with custom formats. So foreign-key is looks like something I'm looking for. Thank you. But even with this flag as workaround, it is useful to turn off the visualization sometimes.

I keep this issue open as feature request. Again.