Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Power User Splunk > Filtering and Formatting Data Mod 5 > Flashcards

Filtering and Formatting Data Mod 5 Flashcards

1
Q

What does the eval command allow you to do?

A

The eval command allows you to calculate and manipulate field values in your report and it supports a variety of functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What happens if the destination field exists when using the eval command?

A

The values of the field are replaced by the results of eval command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Is the index data modified when using the eval command?

A

No, the data is not modified and no new data is written into the index

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Are field values treated as case sensitive when using the eval command?

A

Yes, field values are treated in a case sensitive manner when using the eval command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The eval command allows you to?

A
  • Calculate expressions
  • Place the results in a field
  • Use that field in searches or other expressions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the types that the eval commands effects?

A

Arithmetic/Operators
+, -, *, /, %

Concatenation/Operators
+, .

Boolean/Operators
AND OR NOT XOR

Comparison/Operators
, <=, >=, !=, =, ==, LIKE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is another function the eval command can do to values?

A

It can convert values. For example, the eval command can convert bytes into megabytes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The eval command must do what in order to successfully convert values?

A

It must be set to a new or existing field

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The eval command also has another function that will help readability?

A

The round (field/number, decimals) function sets the value of a field to the number of decimals you specify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What will the result be if decimals are unspecified when using the round function in the eval command?

A

The result is a whole number will be present

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What command would you use if you wanted to remove a field in the search window?

A

Use the fields - command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Where can you perform mathematical functions when using the eval command?

A

You can use mathematical functions against fields with numeric field values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When using the eval command, what does the tostring function allow you to do?

A

tostring allows you to convert a numeric field value to a string
example: tostring(field, “option”)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some of the options of the tostring function when using the eval command?

A
  • “commas”: applies commas. If the number includes decimals, it rounds to two decimal places
  • “duration”: formats the number as “hh:mm:ss”
  • “hex”: formats the number in hexadecimal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When using the eval command, give a scenario where you would use the range function?

A

Use the range function to return the difference between the max and min values of _time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False: eval with added characters converts numeric field values to strings?

A

Yes it does

17
Q

When formatting and sorting values numerically what is the proper order to accomplish this?

A

To order numerically, first sort, then use eval command

18
Q

Can multiple expressions be used in the eval command?

A

Yes multiple expressions can be used in the eval command

19
Q

What are some of the rules when using expressions with the eval command?

A
  • Each subsequent expression references the results of previous expressions
  • Expressions must be separated by commas
    example: eval fieldname1 = expression1,
    fieldname2 = expression2,
    fieldname3 = expression3
20
Q

What are some of the rules when using the if function with the eval command?

A
  • The if function takes 3 arguments (X,Y,Z)
  • The first argument, X, is a Boolean expression
  • If it evaluates to TRUE, the result evaluates to the second argument, Y
  • If it evaluates to FALSE, the result evaluate to the 3rd argument, Z
21
Q

What must be included with non-numeric values when using the if function with the eval command?

A

Non-numeric values must be enclosed in “double quotes”

22
Q

Are field values treated in a case sensitive manner when using the if function with the eval command?

A

Yes they are case sensitive

23
Q

How would you use the case function with the eval command?

A

case(X1, Y1, X2, Y2…)

  • the 1st argument, X1, is a Boolean expression
  • if it evaluates to TRUE, the result evaluates to Y1
  • if it evaluates to FALSE, the next Boolean expression, X2, is evaluated, etc.
  • if you want an “otherwise: clause, just test for a condition you know is true at the end
    (e. g., 0=0)
24
Q

Explain when and how to use the eval function?

A

You would use the eval function to count the number of events that contain a specific field value, use the count and eval functions

25
Q

When using a transforming command like stats what is required?

A
  • An as clause is required
  • Double quotes are required for character field values
  • Field values are case sensitive
26
Q

What are some of the attributes of the search command?

A
  • Treats field values in a case insensitive manner
  • Allows searching on keyword
  • Can be used at any point in the search pipeline
27
Q

What are some of the attributes of the where command?

A
  • Can compare values from two different fields
  • Functions are available, such as isnotnull()
  • Treats field values in a case sensitive manner
  • Can not appear before the first pipe in search pipeline
28
Q

How does the search command behave when used?

A

It behaves exactly like search strings before the first pipe and it can also use the “*” wildcard

29
Q

How does the where command behave when used?

A
  • Uses same expression syntax as the eval command
  • Uses boolean expressions to filter search results and only keeps results that are True
  • Double quoted strings are interpreted as field values (treats field values in a case sensitive manner)
  • Unquoted or single-quoted strings are treated as fields
30
Q

True or False: The where command is also used to compare two different fields?

A

True

31
Q

True or False: Can you do wildcard searches with the where command?

A

True

32
Q

In what situation would you use (_) and (%) when using the where command?

A

You would use the “_” for one character and “%” for multiple characters

33
Q

What must you use with wildcards when using the where command?

A

You must use the “like” operator

34
Q

When would you use the fillnull command?

A

You would use the fillnull command to replace null values in fields

35
Q

How would you specify a string you wanted to display when using the fillnull command?

A

You use the value=string

example: fillnull value=NULL

36
Q

What happens if you don’t have a value= clause when using the fillnull command?

A

The default replacement value is 0

37
Q

How would you restrict which fields fillnull command would apply?

A

By listing them at the end of the command

example: fillnull VALUE=”N/A” discount refund

Power User Splunk (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions