Update PPL examples to use otel sample data

_includes/try-in-playground.html

@@ -0,0 +1 @@
+<label hidden class="try-in-playground-label">try-in-playground</label>

_sql-and-ppl/ppl/commands/addcoltotals.md

@@ -31,64 +31,77 @@ The `addcoltotals` command supports the following parameters.
 | `labelfield` | Optional | The field in which the label is placed. If the field does not exist, it is created and the label is shown in the summary row (last row) of the new field. |
 | `label` | Optional | The text that appears in the summary row (last row) to identify the computed totals. When used with `labelfield`, this text is placed in the specified field in the summary row. Default is `Total`. |
 
-## Example 1: Basic example
+## Example 1: Add column totals to a severity breakdown
 
-The following query places the label in an existing field:
+The following query adds a total row to a severity breakdown, showing the grand total of all log entries:
 
 ```sql
-source=accounts 
-| fields firstname, balance 
-| head 3 
-| addcoltotals labelfield='firstname'
+source=otellogs
+| stats count() as log_count by severityText
+| sort severityText
+| fields severityText, log_count
+| addcoltotals labelfield='severityText'
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| firstname | balance |
+| severityText | log_count |
 | --- | --- |
-| Amber | 39225 |
-| Hattie | 5686 |
-| Nanette | 32838 |
-| Total | 77749 |
+| DEBUG | 3 |
+| ERROR | 7 |
+| INFO | 6 |
+| WARN | 4 |
+| Total | 20 |
 
-## Example 2: Adding column totals with a custom summary label
+## Example 2: Add column totals with a custom label
 
-The following query adds totals after a `stats` command where the final summary event label is `Sum`. It also creates a new field specified by `labelfield` because this field does not exist in the data:
+The following query adds totals to error counts per service with a custom summary label:
 
 ```sql
-source=accounts 
-| stats count() by gender 
-| addcoltotals `count()` label='Sum' labelfield='Total'
+source=otellogs
+| where severityText = 'ERROR'
+| stats count() as errors by `resource.attributes.service.name`
+| sort `resource.attributes.service.name`
+| addcoltotals errors label='Grand Total' labelfield='Summary'
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| count() | gender | Total |
+| errors | resource.attributes.service.name | Summary |
 | --- | --- | --- |
-| 1 | F | null |
-| 3 | M | null |
-| 4 | null | Sum |
+| 2 | checkout | null |
+| 1 | frontend-proxy | null |
+| 2 | payment | null |
+| 1 | product-catalog | null |
+| 1 | recommendation | null |
+| 7 | null | Grand Total |
 
 ## Example 3: Using all options
 
-The following query uses the `addcoltotals` command with all options set:
+The following query uses the `addcoltotals` command with all options set, totaling only the specified numeric fields and placing the summary label in a new column:
 
 ```sql
-source=accounts 
-| where age > 30 
-| stats avg(balance) as avg_balance, count() as count by state 
-| head 3 
-| addcoltotals avg_balance, count  label='Sum' labelfield='Column Total'
+source=otellogs
+| where severityText IN ('ERROR', 'WARN')
+| eval error_count = IF(severityText = 'ERROR', 1, 0), warn_count = IF(severityText = 'WARN', 1, 0)
+| stats sum(error_count) as errors, sum(warn_count) as warnings by `resource.attributes.service.name`
+| sort `resource.attributes.service.name`
+| addcoltotals errors, warnings label='Sum' labelfield='Column Total'
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| avg_balance | count | state | Column Total |
+| errors | warnings | resource.attributes.service.name | Column Total |
 | --- | --- | --- | --- |
-| 39225.0 | 1 | IL | null |
-| 4180.0 | 1 | MD | null |
-| 5686.0 | 1 | TN | null |
-| 49091.0 | 3 | null | Sum |
+| 2 | 0 | checkout | null |
+| 1 | 2 | frontend-proxy | null |
+| 2 | 0 | payment | null |
+| 1 | 2 | product-catalog | null |
+| 1 | 0 | recommendation | null |
+| 7 | 4 | null | Sum |

_sql-and-ppl/ppl/commands/addtotals.md

@@ -34,87 +34,82 @@ The `addtotals` command supports the following parameters.
 | `label` | Optional | The text that appears in the summary row (last row) to identify the computed totals. When used with `labelfield`, this text is placed in the specified field in the summary row. Default is `Total`. Applicable when `col=true`. This parameter has no effect when the `labelfield` and `fieldname` parameters specify the same field name. |
 | `fieldname` | Optional | The field used to store row totals. Applicable when `row=true`. |
 
-## Example 1: Basic example
+## Example 1: Add column totals
 
-The following query places the label in an existing field:
+The following query counts errors and warnings per service, then adds a column total row showing the grand totals:
 
 ```sql
-source=accounts 
-| head 3
-| fields firstname, balance 
-| addtotals col=true labelfield='firstname' label='Total'
+source=otellogs
+| where severityText IN ('ERROR', 'WARN')
+| eval error_count = IF(severityText = 'ERROR', 1, 0), warn_count = IF(severityText = 'WARN', 1, 0)
+| stats sum(error_count) as errors, sum(warn_count) as warnings by `resource.attributes.service.name`
+| sort `resource.attributes.service.name`
+| fields `resource.attributes.service.name`, errors, warnings
+| addtotals col=true labelfield='resource.attributes.service.name' label='Total'
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| firstname | balance | Total |
-| --- | --- | --- |
-| Amber | 39225 | 39225 |
-| Hattie | 5686 | 5686 |
-| Nanette | 32838 | 32838 |
-| Total | 77749 | null |    
-
-## Example 2: Adding column totals with a custom summary label
+| resource.attributes.service.name | errors | warnings | Total |
+| --- | --- | --- | --- |
+| checkout | 2 | 0 | 2 |
+| frontend-proxy | 1 | 2 | 3 |
+| payment | 2 | 0 | 2 |
+| product-catalog | 1 | 2 | 3 |
+| recommendation | 1 | 0 | 1 |
+| Total | 7 | 4 | null |
 
-The following query adds totals after a `stats` command, with the final summary event labeled `Sum`. It also creates a new field specified by `labelfield` because the field does not exist in the data:
+## Example 2: Add row totals
 
+The following query counts errors and warnings separately per service, then adds a row total showing the combined count of actionable issues per service:
 
 ```sql
-source=accounts
-| fields   account_number, firstname , balance , age 
-| addtotals col=true  row=false label='Sum' labelfield='Total'
+source=otellogs
+| where severityText IN ('ERROR', 'WARN')
+| eval error_count = IF(severityText = 'ERROR', 1, 0), warn_count = IF(severityText = 'WARN', 1, 0)
+| stats sum(error_count) as errors, sum(warn_count) as warnings by `resource.attributes.service.name`
+| sort `resource.attributes.service.name`
+| fields `resource.attributes.service.name`, errors, warnings
+| addtotals row=true fieldname='total_issues'
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| account_number | firstname | balance | age | Total |
-| --- | --- | --- | --- | --- |
-| 1 | Amber | 39225 | 32 | null |
-| 6 | Hattie | 5686 | 36 | null |
-| 13 | Nanette | 32838 | 28 | null |
-| 18 | Dale | 4180 | 33 | null |
-| 38 | null | 81929 | 129 | Sum |
-
-If you set `row=true` in the preceding example, both row totals and column totals try to use the same field name (`Total`), creating a conflict. When this happens, the summary row label displays as `null` instead of `Sum` because the field becomes numeric (for row totals) and cannot display string values:
-
-
-```sql
-source=accounts
-| fields   account_number, firstname , balance , age   
-| addtotals col=true  row=true label='Sum' labelfield='Total'
-```
-{% include copy.html %}
-
-The query returns the following results:
-
-| account_number | firstname | balance | age | Total |
-| --- | --- | --- | --- | --- |
-| 1 | Amber | 39225 | 32 | 39258 |
-| 6 | Hattie | 5686 | 36 | 5728 |
-| 13 | Nanette | 32838 | 28 | 32879 |
-| 18 | Dale | 4180 | 33 | 4231 |
-| 38 | null | 81929 | 129 | null |
+| resource.attributes.service.name | errors | warnings | total_issues |
+| --- | --- | --- | --- |
+| checkout | 2 | 0 | 2 |
+| frontend-proxy | 1 | 2 | 3 |
+| payment | 2 | 0 | 2 |
+| product-catalog | 1 | 2 | 3 |
+| recommendation | 1 | 0 | 1 |
 
 ## Example 3: Using all options
 
-The following query uses the `addtotals` command with all options set:
+The following query uses the `addtotals` command with all options set, combining both row totals and column totals in a single report:
 
 ```sql
-source=accounts 
-| where age > 30 
-| stats avg(balance) as avg_balance, count() as count by state 
-| head 3 
-| addtotals avg_balance, count row=true col=true fieldname='Row Total' label='Sum' labelfield='Column Total'
+source=otellogs
+| where severityText IN ('ERROR', 'WARN')
+| eval error_count = IF(severityText = 'ERROR', 1, 0), warn_count = IF(severityText = 'WARN', 1, 0)
+| stats sum(error_count) as errors, sum(warn_count) as warnings by `resource.attributes.service.name`
+| sort `resource.attributes.service.name`
+| fields `resource.attributes.service.name`, errors, warnings
+| addtotals errors, warnings row=true col=true fieldname='Row Total' label='Sum' labelfield='Column Total'
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| avg_balance | count | state | Row Total | Column Total |
+| resource.attributes.service.name | errors | warnings | Row Total | Column Total |
 | --- | --- | --- | --- | --- |
-| 39225.0 | 1 | IL | 39226.0 | null |
-| 4180.0 | 1 | MD | 4181.0 | null |
-| 5686.0 | 1 | TN | 5687.0 | null |
-| 49091.0 | 3 | null | null | Sum |
+| checkout | 2 | 0 | 2 | null |
+| frontend-proxy | 1 | 2 | 3 | null |
+| payment | 2 | 0 | 2 | null |
+| product-catalog | 1 | 2 | 3 | null |
+| recommendation | 1 | 0 | 1 | null |
+| null | 7 | 4 | null | Sum |

_sql-and-ppl/ppl/commands/append.md

@@ -28,49 +28,61 @@ The `append` command supports the following parameters.
 | --- | --- | --- |
 | `<subsearch>` | Required | Executes PPL commands as a secondary search. |  
 
-## Example 1: Append rows from a count aggregation to existing search results
+## Example 1: Append error and warning counts side by side
 
-The following query appends rows from `count by gender` to `sum by gender, state`:
+The following query shows error counts per service, then appends warning counts from a separate query. This lets you compare error and warning rates across services:
 
 ```sql
-source=accounts | stats sum(age) by gender, state | sort -`sum(age)` | head 5 | append [ source=accounts | stats count(age) by gender ]
+source=otellogs
+| where severityText = 'ERROR'
+| stats count() as error_count by `resource.attributes.service.name`
+| sort - error_count
+| append [ source=otellogs | where severityText = 'WARN' | stats count() as warn_count by `resource.attributes.service.name` ]
+| sort `resource.attributes.service.name`
+| fields `resource.attributes.service.name`, error_count, warn_count
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| sum(age) | gender | state | count(age) |
-| --- | --- | --- | --- |
-| 36 | M | TN | null |
-| 33 | M | MD | null |
-| 32 | M | IL | null |
-| 28 | F | VA | null |
-| null | F | null | 1 |
-| null | M | null | 3 |
+| resource.attributes.service.name | error_count | warn_count |
+| --- | --- | --- |
+| checkout | 2 | null |
+| frontend-proxy | 1 | null |
+| frontend-proxy | null | 2 |
+| payment | 2 | null |
+| product-catalog | 1 | null |
+| product-catalog | null | 2 |
+| recommendation | 1 | null |
 
 
-## Example 2: Append rows with merged column names
+## Example 2: Append summary rows to detail rows
 
-The following query appends rows from `sum by gender` to `sum by gender, state`, merging columns that have the same field name and type:
+The following query shows severity levels by count, then appends the total count across all levels:
 
 ```sql
-source=accounts | stats sum(age) as sum by gender, state | sort -sum | head 5 | append [ source=accounts | stats sum(age) as sum by gender ]
+source=otellogs
+| stats count() as log_count by severityText
+| sort - log_count
+| append [ source=otellogs | stats count() as log_count | eval severityText = 'ALL' ]
+| fields severityText, log_count
 ```
 {% include copy.html %}
+{% include try-in-playground.html %}
 
 The query returns the following results:
 
-| sum | gender | state |
-| --- | --- | --- |
-| 36 | M | TN |
-| 33 | M | MD |
-| 32 | M | IL |
-| 28 | F | VA |
-| 28 | F | null |
-| 101 | M | null |
+| severityText | log_count |
+| --- | --- |
+| DEBUG | 3 |
+| ERROR | 7 |
+| INFO | 6 |
+| WARN | 4 |
+| ALL | 20 |
 
 ## Limitations
 
 The `append` command has the following limitations:
 
-* **Schema compatibility**: When fields with the same name exist in both the main search and the subsearch but have incompatible types, the query fails with an error. To avoid type conflicts, ensure that fields with the same name share the same data type. Alternatively, use different field names. You can rename the conflicting fields using `eval` or select non-conflicting columns using `fields`.
+* **Schema compatibility**: When fields with the same name exist in both the main search and the subsearch but have incompatible types, the query fails with an error. To avoid type conflicts, ensure that fields with the same name share the same data type. Alternatively, use different field names. You can rename the conflicting fields using `eval` or select non-conflicting columns using `fields`.