×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC TrueSight IT Data Analytics 11.3 ... Using Search commands

table search command

This search command extracts fields from events with information in a tabular format. A new event is created for each table row. Field names are derived from the title row of the table. Optionally, you can specify a list of fields that you want to further extract and keep from the given list of all fields. You can also filter search results to keep records that match the specified filter criteria.

If you do not specify fields, all fields extracted are displayed. Furthermore, if you do not specify a filter criterion, all data extracted is displayed along with the extracted fields.

This topic contains the following information:

For a list of all search commands, see Search commands.

Related topics

fields search command

Getting started with search

Syntax

table [fields <field-list>+] [filter <filter-criterion>+]

In the preceding syntax,the following definitions apply:

  • + indicates one or more similar expressions separated by a comma (,) or space.
  • [expression] indicates it is optional.
  • <field-list> refers to a list of space-separated fields that you want to keep in the search results. This parameter is optional.
  • <filter-criterion> refers to a list of space-separated values (data entry) by which you want to filter, to show in the search results. This parameter is optional.

Short examples

Example 1: Extract the column headings that appear in the raw data as fields and create a new data entry for each row.

... | table 

Example 2: Extract the  PID, USER, %CPU, and CMD fields.

... | table fields PID USER %CPU CMD

Example 3: Extract the PID, USER, %CPU, and CMD fields when they occur in rows that contain the "itda" raw-data entry.

... | table fields PID USER %CPU CMD filter itda

Long examples

 The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the table command.

Sample data

Wed Jun  4 08:16:38 CDT 2014
  PID USER     %CPU     RSS     VSZ CMD
    1 root      0.0    1416   19364 /sbin/init
    4 root      0.0       0       0 [ksoftirqd/0]
  418 root      0.0     416   10944 /sbin/udevd -d
  705 root      0.0       0       0 [vmmemctl]
 1611 root      0.0     636    9120 /sbin/dhclient
 3251 root      0.0    3932  144556 /bin/rscd
 3288 root      0.0     528    4064 /sbin/mingetty /dev/tty2
15646 root      0.0   29504  493824 konsole
15649 root      0.0    2368  108956 /bin/bash
17764 root      0.0   18376  396656 /usr/bin/knotify4
22220 root      1.3 1433560 2444112 itda_indexer
22222 root      1.0  578668 2284768 itda_station
22225 root      2.4  761484 2765776 itda_server
22227 root      0.3  149836 1861804 itda_database

Back to examples ↑

Sample indexed data

Wed Jun  4 08:16:38 CDT 2014
  PID USER     %CPU     RSS     VSZ CMD
    1 root      0.0    1416   19364 /sbin/init
    4 root      0.0       0       0 [ksoftirqd/0]
  418 root      0.0     416   10944 /sbin/udevd -d
  705 root      0.0       0       0 [vmmemctl]
 1611 root      0.0     636    9120 /sbin/dhclient
 3251 root      0.0    3932  144556 /bin/rscd
 3288 root      0.0     528    4064 /sbin/mingetty /dev/tty2
15646 root      0.0   29504  493824 konsole
15649 root      0.0    2368  108956 /bin/bash
17764 root      0.0   18376  396656 /usr/bin/knotify4
22220 root      1.3 1433560 2444112 itda_indexer
22222 root      1.0  578668 2284768 itda_station
22225 root      2.4  761484 2765776 itda_server
22227 root      0.3  149836 1861804 itda_database
HOST=local.bmc.com |COLLECTOR_NAME=u4

Back to examples ↑

table

In this example, you use the command to extract fields from the event data that appears in a tabular format.

The table column names are displayed as fields, and a separate record is created for each row in the table.

Command

... | table

Output

22227 root 0.3 149836 1861804 itda_database
HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_database|VSZ=1861804|PID=22227|%CPU=0.3|RSS=149836|USER=root
22225 root 2.4 761484 2765776 itda_server
HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_server|VSZ=2765776|PID=22225|%CPU=2.4|RSS=761484|USER=root
22222 root 1.0 578668 2284768 itda_station
HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_station|VSZ=2284768|PID=22222|%CPU=1.0|RSS=578668|USER=root
22220 root 1.3 1433560 2444112 itda_indexer
HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_indexer|VSZ=2444112|PID=22220|%CPU=1.3|RSS=1433560|USER=root
17764 root 0.0 18376 396656 /usr/bin/knotify4
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/usr/bin/knotify4|VSZ=396656|PID=17764|%CPU=0.0|RSS=18376|USER=root
15649 root 0.0 2368 108956 /bin/bash
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/bin/bash|VSZ=108956|PID=15649|%CPU=0.0|RSS=2368|USER=root
15646 root 0.0 29504 493824 konsole
HOST=myhost |COLLECTOR_NAME=up_table |CMD=konsole|VSZ=493824|PID=15646|%CPU=0.0|RSS=29504|USER=root
3288 root 0.0 528 4064 /sbin/mingetty /dev/tty2
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/mingetty|VSZ=4064|PID=3288|%CPU=0.0|RSS=528|USER=root
3251 root 0.0 3932 144556 /bin/rscd
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/bin/rscd|VSZ=144556|PID=3251|%CPU=0.0|RSS=3932|USER=root
1611 root 0.0 636 9120 /sbin/dhclient
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/dhclient|VSZ=9120|PID=1611|%CPU=0.0|RSS=636|USER=root
705 root 0.0 0 0 [vmmemctl]
HOST=myhost |COLLECTOR_NAME=up_table |CMD=[vmmemctl]|VSZ=0|PID=705|%CPU=0.0|RSS=0|USER=root
418 root 0.0 416 10944 /sbin/udevd -d
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/udevd|VSZ=10944|PID=418|%CPU=0.0|RSS=416|USER=root
4 root 0.0 0 0 [ksoftirqd/0]
HOST=myhost |COLLECTOR_NAME=up_table |CMD=[ksoftirqd/0]|VSZ=0|PID=4|%CPU=0.0|RSS=0|USER=root
1 root 0.0 1416 19364 /sbin/init
HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/init|VSZ=19364|PID=1|%CPU=0.0|RSS=1416|USER=root

Back to examples ↑

table with fields

In this example, you use the command to extract the PID, USER, %CPU, and CMD fields.

Command

... | table fields PID USER %CPU CMD

Output

22227 root 0.3 149836 1861804 itda_database
HOST=myhost |COLLECTOR_NAME=up_table |PID=22227|USER=root|%CPU=0.3|CMD=itda_database
22225 root 2.4 761484 2765776 itda_server
HOST=myhost |COLLECTOR_NAME=up_table |PID=22225|USER=root|%CPU=2.4|CMD=itda_server
22222 root 1.0 578668 2284768 itda_station
HOST=myhost |COLLECTOR_NAME=up_table |PID=22222|USER=root|%CPU=1.0|CMD=itda_station
22220 root 1.3 1433560 2444112 itda_indexer
HOST=myhost |COLLECTOR_NAME=up_table |PID=22220|USER=root|%CPU=1.3|CMD=itda_indexer
17764 root 0.0 18376 396656 /usr/bin/knotify4
HOST=myhost |COLLECTOR_NAME=up_table |PID=17764|USER=root|%CPU=0.0|CMD=/usr/bin/knotify4
15649 root 0.0 2368 108956 /bin/bash
HOST=myhost |COLLECTOR_NAME=up_table |PID=15649|USER=root|%CPU=0.0|CMD=/bin/bash
15646 root 0.0 29504 493824 konsole
HOST=myhost |COLLECTOR_NAME=up_table |PID=15646|USER=root|%CPU=0.0|CMD=konsole
3288 root 0.0 528 4064 /sbin/mingetty /dev/tty2
HOST=myhost |COLLECTOR_NAME=up_table |PID=3288|USER=root|%CPU=0.0|CMD=/sbin/mingetty
3251 root 0.0 3932 144556 /bin/rscd
HOST=myhost |COLLECTOR_NAME=up_table |PID=3251|USER=root|%CPU=0.0|CMD=/bin/rscd
1611 root 0.0 636 9120 /sbin/dhclient
HOST=myhost |COLLECTOR_NAME=up_table |PID=1611|USER=root|%CPU=0.0|CMD=/sbin/dhclient
705 root 0.0 0 0 [vmmemctl]
HOST=myhost |COLLECTOR_NAME=up_table |PID=705|USER=root|%CPU=0.0|CMD=[vmmemctl]
418 root 0.0 416 10944 /sbin/udevd -d
HOST=myhost |COLLECTOR_NAME=up_table |PID=418|USER=root|%CPU=0.0|CMD=/sbin/udevd
4 root 0.0 0 0 [ksoftirqd/0]
HOST=myhost |COLLECTOR_NAME=up_table |PID=4|USER=root|%CPU=0.0|CMD=[ksoftirqd/0]
1 root 0.0 1416 19364 /sbin/init
HOST=myhost |COLLECTOR_NAME=up_table |PID=1|USER=root|%CPU=0.0|CMD=/sbin/init

Back to examples ↑

table with fields and filter

In this example, you use the command to extract the PID, USER, %CPU, and CMD fields when the fields occur in records that contain itda.

Command

... | table fields PID USER %CPU CMD filter itda

Output

22227 root 0.3 149836 1861804 itda_database
HOST=myhost |COLLECTOR_NAME=up_table|PID=22227|USER=root|%CPU=0.3|CMD=itda_database
22225 root 2.4 761484 2765776 itda_server
HOST=myhost |COLLECTOR_NAME=up_table|PID=22225|USER=root|%CPU=2.4|CMD=itda_server
22222 root 1.0 578668 2284768 itda_station
HOST=myhost |COLLECTOR_NAME=up_table|PID=22222|USER=root|%CPU=1.0|CMD=itda_station
22220 root 1.3 1433560 2444112 itda_indexer
HOST=myhost |COLLECTOR_NAME=up_table|PID=22220|USER=root|%CPU=1.3|CMD=itda_indexer

Back to examples ↑

Notes

  • For this command to produce the desired results, the data must contain rows that are separated by a new-line separator (\n).
  • The command assumes that columns in the data are separated by a space character ( ).
  • If data entries that appear in the columns contain a space character ( ), the command might not function properly.
  • If a column name in the event data contains a space, each word in the column name is treated as a separate column name.
    For example, if you have three columns in the data (HOST, Request Type, and COLLECTOR_NAME), then Request and Type are considered as separate column names, and the data under column COLLECTOR_NAME is considered to be data for column Type (leaving the column COLLECTOR_NAME with no values).

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sonali Deshmukh on Jan 10, 2017
examples using search reference search_commands

Comments

Log in or register to comment.

stats search command
tail search command
© Copyright 2014 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.