Filtering and Formatting Data Mod 5 Flashcards
What does the eval command allow you to do?
The eval command allows you to calculate and manipulate field values in your report and it supports a variety of functions
What happens if the destination field exists when using the eval command?
The values of the field are replaced by the results of eval command
Is the index data modified when using the eval command?
No, the data is not modified and no new data is written into the index
Are field values treated as case sensitive when using the eval command?
Yes, field values are treated in a case sensitive manner when using the eval command
The eval command allows you to?
- Calculate expressions
- Place the results in a field
- Use that field in searches or other expressions
What are the types that the eval commands effects?
Arithmetic/Operators
+, -, *, /, %
Concatenation/Operators
+, .
Boolean/Operators
AND OR NOT XOR
Comparison/Operators
, <=, >=, !=, =, ==, LIKE
What is another function the eval command can do to values?
It can convert values. For example, the eval command can convert bytes into megabytes
The eval command must do what in order to successfully convert values?
It must be set to a new or existing field
The eval command also has another function that will help readability?
The round (field/number, decimals) function sets the value of a field to the number of decimals you specify
What will the result be if decimals are unspecified when using the round function in the eval command?
The result is a whole number will be present
What command would you use if you wanted to remove a field in the search window?
Use the fields - command
Where can you perform mathematical functions when using the eval command?
You can use mathematical functions against fields with numeric field values
When using the eval command, what does the tostring function allow you to do?
tostring allows you to convert a numeric field value to a string
example: tostring(field, “option”)
What are some of the options of the tostring function when using the eval command?
- “commas”: applies commas. If the number includes decimals, it rounds to two decimal places
- “duration”: formats the number as “hh:mm:ss”
- “hex”: formats the number in hexadecimal
When using the eval command, give a scenario where you would use the range function?
Use the range function to return the difference between the max and min values of _time
True or False: eval with added characters converts numeric field values to strings?
Yes it does
When formatting and sorting values numerically what is the proper order to accomplish this?
To order numerically, first sort, then use eval command
Can multiple expressions be used in the eval command?
Yes multiple expressions can be used in the eval command
What are some of the rules when using expressions with the eval command?
- Each subsequent expression references the results of previous expressions
- Expressions must be separated by commas
example: eval fieldname1 = expression1,
fieldname2 = expression2,
fieldname3 = expression3
What are some of the rules when using the if function with the eval command?
- The if function takes 3 arguments (X,Y,Z)
- The first argument, X, is a Boolean expression
- If it evaluates to TRUE, the result evaluates to the second argument, Y
- If it evaluates to FALSE, the result evaluate to the 3rd argument, Z
What must be included with non-numeric values when using the if function with the eval command?
Non-numeric values must be enclosed in “double quotes”
Are field values treated in a case sensitive manner when using the if function with the eval command?
Yes they are case sensitive
How would you use the case function with the eval command?
case(X1, Y1, X2, Y2…)
- the 1st argument, X1, is a Boolean expression
- if it evaluates to TRUE, the result evaluates to Y1
- if it evaluates to FALSE, the next Boolean expression, X2, is evaluated, etc.
- if you want an “otherwise: clause, just test for a condition you know is true at the end
(e. g., 0=0)
Explain when and how to use the eval function?
You would use the eval function to count the number of events that contain a specific field value, use the count and eval functions
When using a transforming command like stats what is required?
- An as clause is required
- Double quotes are required for character field values
- Field values are case sensitive
What are some of the attributes of the search command?
- Treats field values in a case insensitive manner
- Allows searching on keyword
- Can be used at any point in the search pipeline
What are some of the attributes of the where command?
- Can compare values from two different fields
- Functions are available, such as isnotnull()
- Treats field values in a case sensitive manner
- Can not appear before the first pipe in search pipeline
How does the search command behave when used?
It behaves exactly like search strings before the first pipe and it can also use the “*” wildcard
How does the where command behave when used?
- Uses same expression syntax as the eval command
- Uses boolean expressions to filter search results and only keeps results that are True
- Double quoted strings are interpreted as field values (treats field values in a case sensitive manner)
- Unquoted or single-quoted strings are treated as fields
True or False: The where command is also used to compare two different fields?
True
True or False: Can you do wildcard searches with the where command?
True
In what situation would you use (_) and (%) when using the where command?
You would use the “_” for one character and “%” for multiple characters
What must you use with wildcards when using the where command?
You must use the “like” operator
When would you use the fillnull command?
You would use the fillnull command to replace null values in fields
How would you specify a string you wanted to display when using the fillnull command?
You use the value=string
example: fillnull value=NULL
What happens if you don’t have a value= clause when using the fillnull command?
The default replacement value is 0
How would you restrict which fields fillnull command would apply?
By listing them at the end of the command
example: fillnull VALUE=”N/A” discount refund
