Module 4: Filtering Results and Manipulating Data

Question 1

What does the eval command allow you to do?

Answer 1

The eval command allows you to calculate and manipulate field values in your report and it supports a variety of functions

Page 104 Mod 4

Question 2

What happens if the destination field exists when using the eval command?

Answer 2

The values of the field are replaced by the results of eval command

Page 105 Mod 4

Question 3

Is the index data modified when using the eval command?

Answer 3

No, the data is not modified and no new data is written into the index

Page 105 Mod 4

Question 4

Are field values treated as case sensitive when using the eval command?

Answer 4

Yes, field values are treated in a case sensitive manner when using the eval command

Page 105 Mod 4

Question 5

Three things the eval command allows you to?

Answer 5

• Calculate expressions
• Place the results in a field
• Use that field in searches or other expressions

Page 104 Mod 4

Question 6

What are the operator types that the eval commands effects?

Answer 6

Arithmetic/Operators
+, -, *, /, %

Concatenation/Operators
+, .

Boolean/Operators
AND OR NOT XOR

Comparison/Operators
, <=, >=, !=, =, ==, LIKE

Page 107 Mod 4

Question 7

What is another function the eval command can do to values?

Answer 7

It can convert values. For example, the eval command can convert bytes into megabytes

Page 108 Mod 4

Question 8

The eval command must do what in order to successfully convert values?

Answer 8

It must be set to a new or existing field

Page 109 Mod 4

Question 9

The eval command also has another function that will help readability?

Answer 9

The round (field/number, decimals) function sets the value of a field to the number of decimals you specify

Page 110 Mod 4

Question 10

What will the result be if decimals are unspecified when using the round function in the eval command?

Answer 10

The result is a whole number will be present

Page 110 Mod 4

Question 11

What command would you use if you wanted to remove a field in the search window?

Answer 11

Use the fields - command

Page 11 Mod 4

Question 12

You can perform mathematical functions against fields with what when using the eval command?

Answer 12

You can use mathematical functions against fields with numeric field values

Page 112 Mod 4

Question 13

When using the eval command, what does the tostring function allow you to do?

Answer 13

tostring allows you to convert a numeric field value to a string
example: tostring(field, “option”)

Page 115 Mod 4

Question 14

What are some of the options of the tostring function when using the eval command?

Answer 14

• “commas”: applies commas. If the number includes decimals, it rounds to two decimal places
• “duration”: formats the number as “hh:mm:ss”
• “hex”: formats the number in hexadecimal

Page 115 Mod 4

Question 15

When using the eval command, give a scenario where you would use the range function?

Answer 15

Use the range function to return the difference between the max and min values of _time

Page 116 Mod 4

Question 16

True or False: eval with added characters converts numeric field values to strings?

Answer 16

Yes it does

Page 114 Mod 4

Question 17

When formatting and sorting values numerically what is the proper order to accomplish this?

Answer 17

To order numerically, first sort, then use eval command

Page 114 Mod 4

Question 18

Can multiple expressions be used in the eval command?

Answer 18

Yes multiple expressions can be used in the eval command

Page 117 Mod 4

Question 19

What are some of the rules when using expressions with the eval command?

Answer 19

• Each subsequent expression references the results of previous expressions
• Expressions must be separated by commas
  example: eval fieldname1 = expression1,
  fieldname2 = expression2,
  fieldname3 = expression3

Page 106 Mod 4

Question 20

What are some of the rules when using the if function with the eval command?

Answer 20

• The if function takes 3 arguments (X,Y,Z)
• The first argument, X, is a Boolean expression
• If it evaluates to TRUE, the result evaluates to the second argument, Y
• If it evaluates to FALSE, the result evaluate to the 3rd argument, Z

Page 118 Mod 4

Question 21

What must be included with non-numeric values (arguments) when using the if function with the eval command?

Answer 21

Non-numeric values must be enclosed in “double quotes”

Page 118 Mod 4

Question 22

Are field values treated in a case sensitive manner when using the if function with the eval command?

Answer 22

Yes they are case sensitive

Page 118 Mod 4

Question 23

How would you use the case function with the eval command?

Answer 23

case(X1, Y1, X2, Y2…)

• the 1st argument, X1, is a Boolean expression
• if it evaluates to TRUE, the result evaluates to Y1
• if it evaluates to FALSE, the next Boolean expression, X2, is evaluated, etc.
• if you want an “otherwise: clause, just test for a condition you know is true at the end
  (e. g., 0=0)

Page 120 Mod 4

Question 24

Explain when and how to use the eval function?

Answer 24

You would use the eval function to count the number of events that contain a specific field value, use the count and eval functions

Page 123 Mod 4

Question 25

With eval, then using a transforming command like stats what is required?

Answer 25

- An as clause is required - Double quotes are required for character field values - Field values are case sensitive Page 123 Mod 4

Question 26

What are some of the attributes of the search command?

Answer 26

- Treats field values in a case insensitive manner - Allows searching on keyword - Can be used at any point in the search pipeline Page 124 Mod 4

Question 27

What are some of the attributes of the where command?

Answer 27

- Can compare values from two different fields - Functions are available, such as isnotnull() - Treats field values in a case sensitive manner - Can not appear before the first pipe in search pipeline Page 124 Mod 4

Question 28

How does the search command behave when used?

Answer 28

It behaves exactly like search strings before the first pipe and it can also use the "*" wildcard Page 125 Mod 4

Question 29

How does the where command behave when used?

Answer 29

- Uses same expression syntax as the eval command - Uses boolean expressions to filter search results and only keeps results that are True - Double quoted strings are interpreted as field values (treats field values in a case sensitive manner) - Unquoted or single-quoted strings are treated as fields Page 126 Mod 4

Question 30

True or False: The where command is also used to compare two different fields?

Answer 30

True Page 127 Mod 4

Question 31

True or False: Can you do wildcard searches with the where command?

Answer 31

True Page 129 Mod

Question 32

In what situation would you use (_) and (%) when using the where command?

Answer 32

You would use the "_" for one character and "%" for multiple characters Page 129 Mod 4

Question 33

What must you use with wildcards when using the where command?

Answer 33

You must use the "like" operator Page 129 Mod 4

Question 34

When would you use the fillnull command?

Answer 34

You would use the fillnull command to replace null values in fields Page 132 Mod 4

Question 35

How would you specify a string you wanted to display when using the fillnull command?

Answer 35

You use the value=string example: fillnull value=NULL Page 132 Mod 4

Question 36

What happens if you don't have a value= clause when using the fillnull command?

Answer 36

The default replacement value is 0 Page 132 Mod 4

Question 37

How would you restrict which fields fillnull command would apply?

Answer 37

By listing them at the end of the command example: fillnull VALUE="N/A" discount refund Page 132 Mod 4