Filtering and Formatting Results

Question 1

What does the |eval command do?

Answer 1

Eval calculates an expression, then puts the resulting value into a new or existing field.

Question 2

What happens when using the |eval command with a field that already exists?

Answer 2

Eval will overwrite the values of the field with the results of the eval expression.

This is done at search time and does NOT change or overwrite any of the already indexed data.

Question 3

What happens when using the |eval command to create a new field?

Answer 3

Eval will take the values of the expressions, but still no new data is written to the index since the eval command happens at search time.

Question 4

What operator does the |eval command support?

Answer 4

• Arithmetic (+ - * / %)
• Concatenation (+ .)
• Boolean (AND OR NOT XOR)
• Comparison (< > <= >= != = LIKE)

Question 5

True or False: Using the |eval command, field values are treated in a case-sensitive manner.

Answer 5

True

Question 6

Using the |eval command, string values must be [blank]

Answer 6

Double-quoted

Question 7

Using the |eval command, field names must be [blank] when they include a special character like a space

Answer 7

Unquoted or single quoted

Question 8

Using the |eval command, when should you use a period (.) to concatenate?

Answer 8

When concatenating strings and numbers.

Ex.
|eval Sales = “$”.tostring(Sales, “commas”)

Question 9

What are the mutiple ways to write |eval expressions

Answer 9

• Separate pipeline segments
• Nested
• Linked with a comma

Question 10

Fields created by the |eval command are [blank]

Answer 10

Temporary (not indexed) but are searchable and treated like any other field.

Question 11

Which commands can most evaluation functions be used with?

Answer 11

• |eval
• |where
• |fieldformat

Question 12

What does the if() function of the |eval command do?

Answer 12

The if() function evaluates expression X. If it evaluates to TRUE, returns Y. Otherwise, returns Z.

Ex.
eval animal = if(pet=”cat”, “cat”, “non-cat”)

Question 13

What does the case() function of the |eval command do?

Answer 13

The case() functions allows you to enter multiple boolean expressions separated by the argument of what to return if the previous expressions evaluates to true.

Ex.
eval animal = case(pet=”cat”, “Kitten”, pet=”dog”, “Doggy”)

Question 14

The case() function of the |eval command useful for what?

Answer 14

Data normalization.

Ex.
|eval location = case(location=”BOS’ OR location = “Boston”, Boston”, location=”LDN” OR location=”London”, “London”

Question 15

What happens if none of the expressions in a case() function return true?

Answer 15

An empty field will be returned.

Question 16

What does the validate() function of the |eval command do?

Answer 16

validate() works like the case() function, except instead of evaluating whether or not a statement is true, it returns an argument when an expression is false.

Question 17

What does the in() function of the |eval command do?

Answer 17

in() allows you to evaluate a value from a field against a list of possible values.

Ex.
|eval error = if(in(status, “404”,”500”,”503”), “true”,”false”)

Question 18

When can the in() function be used with the |eval command?

Answer 18

in() must be used within the if or case functions with eval.

Question 19

What does the searchmatch() function of the |eval command do?

Answer 19

searchmatch() will return a value of true (Y) or false (Z) whether an event matches the search string passed in (X)

Ex.
|eval matchResult = if(searchmatch(“Got A Case of the Mondays”), “found”, “not found”)

Question 20

What is the syntax of the searchmatch() function?

Answer 20

|eval <field> = if(searchmatch(X), Y, Z)</field>

Question 21

When can the searchmatch() function be used with the |eval command

Answer 21

searchmatch() must be used within the if() function or case() function with the |eval command

Question 22

What does the cidrmatch() function of the |eval command do?

Answer 22

cidrmatch() returns True/False based on whether provided IP address Y matches subnet specified by X

Ex.
|eval isLocal = if(cidrmatch(“10.2/16”, clientip), “IS local”, “NOT local”)

Question 23

What does the match() function of the |eval command do?

Answer 23

match() returns True/False based on whether (SUBJECT) matches the RegEx pattern.

Ex.
|eval matchResult = if(match(_raw, “Got a Case of the Mondays”), “found”, “not found”)

Question 24

What does the replace() function of the |eval command do?

Answer 24

replace() returns a string by substituting Z for every occurrence of Y in X.

Ex.
|eval AcctCode = replace(AcctCode, “\d{4}-)\d{4}”, “\1xxxx”)

Question 25

What is the replace() function of the |eval command useful for?

Answer 25

Useful for masking data such as account numbers and IP addresses

Question 26

What does the |fillnull command do?

Answer 26

|fillnull replaces null values in fields. You can specify what to replace a null value with using value=<string>. If not specified, defaults to value=0.</string>

Question 27

What is the syntax of the |fillnull command?

Answer 27

|fillnull [value=<string>] [<field-list>]</field-list></string>

Question 28

What does the |where command do?

Answer 28

|where acts as a filter on search results by removing results that do not match the <eval-expression></eval-expression>

Question 29

How is the |where command different from the |search command?

Answer 29

|where allows for field on field comparison.

Ex.
|where removals > changes

Question 30

How can you use the |where command to force case-sensitive searches?

Answer 30

Ex.
index=sales sourcetype=vendor_sales VendorCountry=”United States”
|where categoryId=”STRATEGY”

Question 31

What does the |where command have that the |search command does not?

Answer 31

The |where command has its own wildcards that are separate from the one used with the search command (*).

• Operator: |where <string> LIKE <pattern></pattern></string>
• Function: |where like (<string>, <pattern>)</pattern></string>
• % for multiple characters
• _ for single character