Module 5 Filtering and formatting data

Question 1

what does the eval command allow you to do?

Answer 1

It allows you to calculate and manipulate field values in your report
eval fieldname1= expression1 [, eval fieldname2 = expression2…]
- calculate expressions
-place the results in a field
-use that field in searches or other expressions

Question 2

where are the results of eval command written?

Answer 2

in either a new or existing field that yo have specified

Question 3

what happens if the destination field of the eval command already exists?

Answer 3

the results of the eval replace the existing field..

The index values of the field are not modified

Question 4

are field values of eval command treated in a case-sensitive manner?

Answer 4

yes

Question 5

what type of functions does the eval command use?

Answer 5

Arithmetic +-*/%
Concatenation + .
Boolean AND OR NOT XOR
Comparison < > <= >= != = == LIKE

Question 6

what does the round function perform with the eval command

Answer 6

it rounds the number to the decimal points you specify

Question 7

what happens when you don’t specify the decimal points to round to when using the round function with the eval command?

Answer 7

It rounds to a whole number

Question 8

how do you add or remove fields

Answer 8

fields - or fields + function

Question 9

what does the tostring function do?

Answer 9

it converts a numeric filed to a value string

tostring(field, “option”)

Question 10

what are the tostring Options?

Answer 10

• “commas” if the number includes decimals it rounds to 2 decimal places
• “duration” formats the numbers as “hh:mm:ss”
• “hex” formats the number in hexadecimal

Question 11

True or False

eval with added characters converts numeric field values to string?

Answer 11

True

Question 12

when wanting to sort numerically using eval what do you do first?
A. eval then sort
B. sort then eval

Answer 12

B

Question 13

Can multiple expressions be combined into one eval command?

Answer 13

Yes,
each subsequent expression references the results of the previous expression
Expressions must be separated by commas

Question 14

how many arguments does the if function take with the eval command?

Answer 14

3
if(X,Y,Z)
if X evaluates to TRUE, the result evaluates the second argument, Y
if X evaluates to FALSE, the result evaluates the third argument, Z
non-numeric values must be enclosed in “double quotes”

Question 15

using the eval command are filed values treated in case-sensitive or non case-sensitive manner?

Answer 15

case sensitive

Question 16

case function with the eval command….
case (X1,Y1,X2,Y2….)
what happens if the x1 argument which is a boolean expression evaluates as FALSE?

Answer 16

the next Boolean expression which is X2 is then evaluated etc etc

Question 17

what functions do the search and where commands perform?

Answer 17

They both filter results

Question 18

the like operator as part of the eval command what character is used for multiple characters?

Answer 18

%
use () for a single character
| stats count by src_ip like “10.%”
| where

Question 19

what does fillnull command do

Answer 19

replace null values in fields
fillnull value=NULL
if no value=clause then the replacement value is 0