Module 5 Flashcards
(17 cards)
Search Terms
Keywords, phrases, wildcards, booleans
Commands
Specifies what to do with results after search
Calculate statistics, generate charts, eval new fields
Functions
Defines how to perform a task required by the command
Function arguments provide the variables needed for the function to work
Arguments
Variables needed for the command to work
Ex: Command argument can limit the number of results
Clauses
Group or rename fields
How to separate commands (Search pipeline)
| a pipe
a pipe
Componentes broken down of search
index=main sourcetype=eventgen |
Applying search terms to events on disk
| eval callResult=if(responseCode==200, “Success”, “Failure”) |
Eval command with if function
| stats count BY callresult |
Stats command with count function and BY boolean
| rename callResult AS finalResult
rename command
Syntax color
Commands - Blue
Functions - purple
Boolean & command modifiers - Orange
Command arguments - green
Fields Command
Only the specified fields are extracted
| fields + (default)
| field - (removes the fields from search)
| table
table
Creates a statistical table for fields
Each row will be an event and each column a field name
| rename
rename
Renames field name
Ex: | rename JESSSIONID as sessionID
| sort
sort
Sorts results in ascending order
Ex: | sort limit=10 “User IP Address”
If you want deseding order use | sort -
| dedup
dedup
Removes duplicate fields of choice
Ex: | dedup “User IP Address”
| stats
stats
Count number of events
Ex: | stats count by clientip
Functions:
count - counts the number of events
distinct_count (dc) - counts the amaount of unique values
sum- calculates sum of values in a feild
avg - calculates avg of values in a feild
list - list all values
values - list all unique values of field
max - max value of field
min - min value of field
Transforrming commands
table, stats, top, rare, chart, timechart
| top
top
returns a stats table for most common values
Arguments:
limit - 0 is no limit
showperc=f (wont show %)
countfield - renames the count field
