Filtering and Formatting Results Flashcards
What does the |eval command do?
Eval calculates an expression, then puts the resulting value into a new or existing field.
What happens when using the |eval command with a field that already exists?
Eval will overwrite the values of the field with the results of the eval expression.
This is done at search time and does NOT change or overwrite any of the already indexed data.
What happens when using the |eval command to create a new field?
Eval will take the values of the expressions, but still no new data is written to the index since the eval command happens at search time.
What operator does the |eval command support?
- Arithmetic (+ - * / %)
- Concatenation (+ .)
- Boolean (AND OR NOT XOR)
- Comparison (< > <= >= != = LIKE)
True or False: Using the |eval command, field values are treated in a case-sensitive manner.
True
Using the |eval command, string values must be [blank]
Double-quoted
Using the |eval command, field names must be [blank] when they include a special character like a space
Unquoted or single quoted
Using the |eval command, when should you use a period (.) to concatenate?
When concatenating strings and numbers.
Ex.
|eval Sales = “$”.tostring(Sales, “commas”)
What are the mutiple ways to write |eval expressions
- Separate pipeline segments
- Nested
- Linked with a comma
Fields created by the |eval command are [blank]
Temporary (not indexed) but are searchable and treated like any other field.
Which commands can most evaluation functions be used with?
- |eval
- |where
- |fieldformat
What does the if() function of the |eval command do?
The if() function evaluates expression X. If it evaluates to TRUE, returns Y. Otherwise, returns Z.
Ex.
eval animal = if(pet=”cat”, “cat”, “non-cat”)
What does the case() function of the |eval command do?
The case() functions allows you to enter multiple boolean expressions separated by the argument of what to return if the previous expressions evaluates to true.
Ex.
eval animal = case(pet=”cat”, “Kitten”, pet=”dog”, “Doggy”)
The case() function of the |eval command useful for what?
Data normalization.
Ex.
|eval location = case(location=”BOS’ OR location = “Boston”, Boston”, location=”LDN” OR location=”London”, “London”
What happens if none of the expressions in a case() function return true?
An empty field will be returned.
What does the validate() function of the |eval command do?
validate() works like the case() function, except instead of evaluating whether or not a statement is true, it returns an argument when an expression is false.
What does the in() function of the |eval command do?
in() allows you to evaluate a value from a field against a list of possible values.
Ex.
|eval error = if(in(status, “404”,”500”,”503”), “true”,”false”)
When can the in() function be used with the |eval command?
in() must be used within the if or case functions with eval.
What does the searchmatch() function of the |eval command do?
searchmatch() will return a value of true (Y) or false (Z) whether an event matches the search string passed in (X)
Ex.
|eval matchResult = if(searchmatch(“Got A Case of the Mondays”), “found”, “not found”)
What is the syntax of the searchmatch() function?
|eval <field> = if(searchmatch(X), Y, Z)</field>
When can the searchmatch() function be used with the |eval command
searchmatch() must be used within the if() function or case() function with the |eval command
What does the cidrmatch() function of the |eval command do?
cidrmatch() returns True/False based on whether provided IP address Y matches subnet specified by X
Ex.
|eval isLocal = if(cidrmatch(“10.2/16”, clientip), “IS local”, “NOT local”)
What does the match() function of the |eval command do?
match() returns True/False based on whether (SUBJECT) matches the RegEx pattern.
Ex.
|eval matchResult = if(match(_raw, “Got a Case of the Mondays”), “found”, “not found”)
What does the replace() function of the |eval command do?
replace() returns a string by substituting Z for every occurrence of Y in X.
Ex.
|eval AcctCode = replace(AcctCode, “\d{4}-)\d{4}”, “\1xxxx”)
