calc search command

This search command provides the users the ability to perform mathematical operations on extracted fields using the calc command.

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

Getting-started-with-search

Syntax

eval eval-field= calc <eval-expression>

In the preceding syntax, the following definitions apply:

  • eval command triggers the evaluate operation and save the result of calculation.
  • eval-field is the field to store the result of calculation. The eval-field must be more than one character, and must not be all numbers, all special characters, numbers with special characters or string with special characters. For example, A, X, 10$, 5#, tom(), 1234, and so on are not allowed.
  • <eval-expression> the extracted fields to be evaluated with the supported mathematical operators.
  • calc command triggers the calculation of the <eval-expression>.

Supported operators

Arithmetic operators

The calc command supports the following arithmetic operators within the <eval-expression>:

  • +: Adds two numbers. 2 + 2 returns 4.
  • -: Subtracts two numbers. 3 - 2 returns 1.
  • *: Multiplies two numbers. 5 * 2 returns 10.
  • /: Divides two numbers. 10 / 2 returns 5.
  • ^: Calculates the result of exponentiation. 2 ^ 11 returns 2048.
  • (-) + Unary Minus, Plus (Sign Operators): The - (unary minus) operator negates the value of the operand. The operand can have any arithmetic type.  +3 - (-2) returns 1.
  • %: Modulo function returns the remainder of a division between two numbers. 5 % 2 returns 1.

Built-in functions

The calc command supports the following built-in functions within the <eval-expression>:

  • abs: Function returns the absolute value of a field or a large fraction of a decimal number. For example, abs(0.8796542) returns 0.88.
  • ceil: Function returns the nearest upper integer value. For example, ceil(90/40) returns 3.
  • floor: Function returns the nearest lower integer value. For example, floor(173/100) returns 1.
  • signum: signum function returns the sign of a real number. For example, signum (-25) returns -1.

Examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the calc command.

Example 1: Calculate the memory consumption percentage using division arithmetic operation:
* | eval Memory_consumption_Percentage = calc ((usedMemory/totalMemory)*100)

Example 2: Calculates the difference between two numbers using subtraction arithmetic operation:

COLLECTOR_NAME="upload" | eval diff=calc (num1-num2) | top limit=5 COLLECTOR by HOST

Example 3: Calculate the absolute value of the given number using the abs () built-in function:

* | eval output=calc (abs(0.668798090900))

output=0.67

Example 4:  Calculate the absolute value of the given number using the abs () built-in function:

* | eval output=calc (abs(linenum+100)) where linenum = 254
output=354

Example 5:  Calculate the absolute value of the given number using the ceil() built-in function:

* | eval output=calc (ceil(linenum/100)) where linenum = 173
output=2

Example 6:  Calculate the absolute value of the given number using the floor() built-in function:

* | eval output=calc (floor(linenum/100)) where linenum = 173
output=1

Example with multiple fields using calc command

In this example, you use the command to replace an existing field name with a new field name. See sample image to understand how this command functions and to correlate the resulting output:

Example 7:  Find the sign of a real number, change the name of a field, and calculate the difference between the changed field and 100:

Command

* |  eval  output=calc (signum(+11)) | chgname linenum with Line | eval  total_add=calc (Line-100)

Result

output=1 | Line=173 | total_add=73

ITDA_calc_sample.PNG


Notes:

  • After replacing the name of a particular field with a new name, you can perform mathematical operation using new name.
  • The eval-field must be more than one character, and must not be all numbers, all special characters, numbers with special characters or string with special characters.  For example, * | eval 10$=calc(20-10) , * | eval X=calc(20-10), or * | eval tom()=calc(50/10) are not allowed. 

  • You cannot rename an existing (single) field with multiple names. For example, with an existing field X, you cannot replace X with Y and then replace X with Z in one search string.

  • You cannot rename the default fields HOST, COLLECTOR_NAME, and DATA_PATTERN.
  • You cannot use default field names to specify a target field.
  • You cannot click a renamed field (or tag) to add it to the Fields section (on the Filters panel) or to your search criteria. However, you can use it in a subsequent search command by adding it to your search criteria.
  • When you are chaining a calc search command with either a tabular command or saved search with a custom timestamp, it is not displayed on the TrueSight console. The calc search notification works fine when a saved search is tied to a relative time stamp.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*