Module 4: Filtering Results and Manipulating Data Flashcards
What does the eval command allow you to do?
The eval command allows you to calculate and manipulate field values in your report and it supports a variety of functions
Page 104 Mod 4
What happens if the destination field exists when using the eval command?
The values of the field are replaced by the results of eval command
Page 105 Mod 4
Is the index data modified when using the eval command?
No, the data is not modified and no new data is written into the index
Page 105 Mod 4
Are field values treated as case sensitive when using the eval command?
Yes, field values are treated in a case sensitive manner when using the eval command
Page 105 Mod 4
Three things the eval command allows you to?
- Calculate expressions
- Place the results in a field
- Use that field in searches or other expressions
Page 104 Mod 4
What are the operator types that the eval commands effects?
Arithmetic/Operators
+, -, *, /, %
Concatenation/Operators
+, .
Boolean/Operators
AND OR NOT XOR
Comparison/Operators
, <=, >=, !=, =, ==, LIKE
Page 107 Mod 4
What is another function the eval command can do to values?
It can convert values. For example, the eval command can convert bytes into megabytes
Page 108 Mod 4
The eval command must do what in order to successfully convert values?
It must be set to a new or existing field
Page 109 Mod 4
The eval command also has another function that will help readability?
The round (field/number, decimals) function sets the value of a field to the number of decimals you specify
Page 110 Mod 4
What will the result be if decimals are unspecified when using the round function in the eval command?
The result is a whole number will be present
Page 110 Mod 4
What command would you use if you wanted to remove a field in the search window?
Use the fields - command
Page 11 Mod 4
You can perform mathematical functions against fields with what when using the eval command?
You can use mathematical functions against fields with numeric field values
Page 112 Mod 4
When using the eval command, what does the tostring function allow you to do?
tostring allows you to convert a numeric field value to a string
example: tostring(field, “option”)
Page 115 Mod 4
What are some of the options of the tostring function when using the eval command?
- “commas”: applies commas. If the number includes decimals, it rounds to two decimal places
- “duration”: formats the number as “hh:mm:ss”
- “hex”: formats the number in hexadecimal
Page 115 Mod 4
When using the eval command, give a scenario where you would use the range function?
Use the range function to return the difference between the max and min values of _time
Page 116 Mod 4
True or False: eval with added characters converts numeric field values to strings?
Yes it does
Page 114 Mod 4
When formatting and sorting values numerically what is the proper order to accomplish this?
To order numerically, first sort, then use eval command
Page 114 Mod 4
Can multiple expressions be used in the eval command?
Yes multiple expressions can be used in the eval command
Page 117 Mod 4
What are some of the rules when using expressions with the eval command?
- Each subsequent expression references the results of previous expressions
- Expressions must be separated by commas
example: eval fieldname1 = expression1,
fieldname2 = expression2,
fieldname3 = expression3
Page 106 Mod 4
What are some of the rules when using the if function with the eval command?
- The if function takes 3 arguments (X,Y,Z)
- The first argument, X, is a Boolean expression
- If it evaluates to TRUE, the result evaluates to the second argument, Y
- If it evaluates to FALSE, the result evaluate to the 3rd argument, Z
Page 118 Mod 4
What must be included with non-numeric values (arguments) when using the if function with the eval command?
Non-numeric values must be enclosed in “double quotes”
Page 118 Mod 4
Are field values treated in a case sensitive manner when using the if function with the eval command?
Yes they are case sensitive
Page 118 Mod 4
How would you use the case function with the eval command?
case(X1, Y1, X2, Y2…)
- the 1st argument, X1, is a Boolean expression
- if it evaluates to TRUE, the result evaluates to Y1
- if it evaluates to FALSE, the next Boolean expression, X2, is evaluated, etc.
- if you want an “otherwise: clause, just test for a condition you know is true at the end
(e. g., 0=0)
Page 120 Mod 4
Explain when and how to use the eval function?
You would use the eval function to count the number of events that contain a specific field value, use the count and eval functions
Page 123 Mod 4
With eval, then using a transforming command like stats what is required?
- An as clause is required
- Double quotes are required for character field values
- Field values are case sensitive
Page 123 Mod 4
What are some of the attributes of the search command?
- Treats field values in a case insensitive manner
- Allows searching on keyword
- Can be used at any point in the search pipeline
Page 124 Mod 4
What are some of the attributes of the where command?
- Can compare values from two different fields
- Functions are available, such as isnotnull()
- Treats field values in a case sensitive manner
- Can not appear before the first pipe in search pipeline
Page 124 Mod 4
How does the search command behave when used?
It behaves exactly like search strings before the first pipe and it can also use the “*” wildcard
Page 125 Mod 4
How does the where command behave when used?
- Uses same expression syntax as the eval command
- Uses boolean expressions to filter search results and only keeps results that are True
- Double quoted strings are interpreted as field values (treats field values in a case sensitive manner)
- Unquoted or single-quoted strings are treated as fields
Page 126 Mod 4
True or False: The where command is also used to compare two different fields?
True
Page 127 Mod 4
True or False: Can you do wildcard searches with the where command?
True
Page 129 Mod
In what situation would you use (_) and (%) when using the where command?
You would use the “_” for one character and “%” for multiple characters
Page 129 Mod 4
What must you use with wildcards when using the where command?
You must use the “like” operator
Page 129 Mod 4
When would you use the fillnull command?
You would use the fillnull command to replace null values in fields
Page 132 Mod 4
How would you specify a string you wanted to display when using the fillnull command?
You use the value=string
example: fillnull value=NULL
Page 132 Mod 4
What happens if you don’t have a value= clause when using the fillnull command?
The default replacement value is 0
Page 132 Mod 4
How would you restrict which fields fillnull command would apply?
By listing them at the end of the command
example: fillnull VALUE=”N/A” discount refund
Page 132 Mod 4
