• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.0

    Page tree

    This search command evaluates an expression (a field name along with a specified function) and assigns the resulting value to a new field that you specify. When you specify a field, the product runs specified functions on the value of that field and then assigns the resulting value to a new field so that you can further analyze it.

    You can perform the following functions:

    • Changing the case of a field value to lowercase or uppercase
    • Splitting the value of a field into multiple parts depending on the delimiters specified
    • Copying portions of a field value

    Delimiters can be alphanumeric characters, special characters, or Java regular expressions. When you run the split function, the resulting values are assigned to the new field. Because fields with multiple values are displayed as a comma-separated list, the resulting values from a split function are also displayed as a comma-separated list.

    You can also use the split function with a copy function (mvindex) in the command syntax, so that one of the values received by running the split function is copied to the new field.

    You can copy portions (a range of values) by specifying a starting index and ending index so that a range of values is copied from the source field and assigned to the new field. The value of the index indicates the particular portion of the field value that must be copied. For example, if the source field has a list of five values and you specify the starting index as 0 and the ending index as 3, then a range of values from the first to the fourth portions is copied and assigned to the new field.

    This topic contains the following information:

    For a list of all search commands, see Search commands.

    Syntax

    eval <New-Field>=<Expression>

    In the preceding syntax, the following definitions apply:

    • <New-Field> refers to the name of the new field to which you want to assign the value that was received as a result of running the specified function.

    • <Expression> refers to a combination of the specified function and the name of the source field on which you want to run the function.

      The following table lists the functions supported:

      FunctionSyntaxDescription
      lower
      		lower(<Source-Field>)Changes the case of the source field value to lowercase
      upperupper(<Source-Field>)Changes the case of the source field value to uppercase
      split
      split(<Source-Field>, "<Delimiter>")

      Splits the source field value depending on the delimiter specified. The delimiters can be alphanumeric characters, special characters or Java regular expressions and must always be enclosed in double quotes (").

      Note: If you want to use special characters such as period (.) or asterisk (*) as a normal delimiter and not as a Java regular expression, you must use an escaping backslash character (\) before the special character.

      mvindex

      mvindex(<Source-Field>, <Start-Index>[,<End-Index>])

      where,

      [Expression] indicates it is optional

      Copies portions of the source field value depending on the index specified. You can specify a starting index and an ending index so that a comma-separated range of values is copied from the source field and assigned to the new field. Specifying the ending index is optional.

      Index is a number starting from 0 to 9 (read from left to right) and -1 to -10 (read from right to left), indicating the portion of the field that must be copied.

      Zero indicates the first portion and -1 indicates the last portion.

      The end index must be greater than the start index.

    Short examples

    Example 1: Create a new field, req_type_low with the value of the RequestType field that appears in lowercase.

    ... | eval req_type_low = lower(RequestType)

    Example 2: Create a new field, host_name_up, with the value of the HOST field that appears in uppercase.

    ... | eval host_name_up = upper(HOST)

    Example 3: Create a new field, broken_url, with the value of the RequestURL field such that the new field value shows as a list of values split by the delimiter "/".

    ... | eval broken_url=split(RequestURL, "/")

    Example 4: Create a new field, "broken_url, with the value of the RequestURL field split by the delimiter "/". After this, create a new field, resource_root, with the first portion (index 1) of the broken_url value.

    ... | eval broken_url=split(RequestURL, "/")
    | eval resource_root=mvindex(broken_url, 1)

    Example 5    : Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/" and then create a new field, resource_param, with the second-to-last portion of the broken_url value.

    ... | eval broken_url=split(RequestURL, "/")
    | eval resource_param=mvindex(broken_url, -2)

    Example 6: Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/" and then create a new field, resource_params, with a range of values (third-to-last portion to the last portion) of the broken_url value.

    ... | eval broken_url=split(RequestURL, "/") 
    | eval resource_params=mvindex(broken_url, -3,-1)

    Long examples

    The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the eval command. 

    Sample data

    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100

    Back to examples ↑

    Sample indexed data

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    lower

    In this example, you use the command to create a new field, req_type_low, with the value of the RequestType field that appears in lower case.

    Command

    ... | eval req_type_low = lower(RequestType)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |req_type_low=post|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201
    HOST=local.bmc.com |req_type_low=put|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |req_type_low=get|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |req_type_low=get|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    upper

    In this example, you use the command to create a new field, host_name_up, with the value of the HOST field that appears in uppercase.

    Command

    ... | eval host_name_up = upper(HOST)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |host_name_up=LOCAL.BMC.COM|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    split

    In this example, you use the command to create a new field, broken_url, with the value of the RequestURL field such that the new field value shows as a list of values split by the delimiter "/".

    Command

    ... | eval broken_url=split(RequestURL, "/")

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |broken_url=,themes,ComBeta,images,bullet.png|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404
    |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    split and mvindex

    In this example, you use the command to perform the following actions:

    1. Create a new field, broken_url with the value of the RequestURL field split by the delimiter "/".
    2. Create two new fields:
      • resource_root field with the first portion (index 1) of the broken_url value
      • resource_other field with the second portion (index 2) of the broken_url value

    Command

    ... | eval broken_url=split(RequestURL, "/") | 
    eval resource_root=mvindex(broken_url, 1) | 
    eval resource_other=mvindex(broken_url, 2)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    COLLECTOR_NAME=u4 |ResponseCode=200 |HOST=local.bmc.com |resource_root=themes |resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.141 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_root=themes|resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.141 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_root=themes |resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.140 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    COLLECTOR_NAME=u4 |ResponseCode=404 |HOST=local.bmc.com |resource_root=themes|resource_other=ComBeta |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.140 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    split and mvindex (with negative index)

    In this example, you use the command to perform the following actions:

    1. Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/".
    2. Create a new field, resource_param, with the second-to-last portion of the broken_url value.

    Command

    ... | eval broken_url=split(RequestURL, "/") |
    eval resource_param=mvindex(broken_url, -2)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    COLLECTOR_NAME=u4 |ResponseCode=200 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.141 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.141 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.140 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    COLLECTOR_NAME=u4 |ResponseCode=404 |HOST=local.bmc.com |resource_param=images |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.140 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    split and mvindex (with list of negative indexes)

    In this example, you use the command to perform the following actions:

    1. Create a new field, broken_url, with the value of the RequestURL field split by the delimiter "/".
    2. Create a new field, resource_params, with a range of values (third-to-last portion to the last portion) of the broken_url value.

    Command

    ... | eval broken_url=split(RequestURL, "/") |
    eval resource_params=mvindex(broken_url, -3,-1)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    COLLECTOR_NAME=u4 |ResponseCode=200 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.141 |ResponseSize=100 |RequestType=POST |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.141 |ResponseSize=200 |RequestType=PUT |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    COLLECTOR_NAME=u4 |ResponseCode=201 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.140 |ResponseSize=150 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    COLLECTOR_NAME=u4 |ResponseCode=404 |HOST=local.bmc.com |resource_params=ComBeta,images,bullet.png |broken_url=,themes,ComBeta,images,bullet.png
    |ClientIp=10.1.1.140 |ResponseSize=100 |RequestType=GET |RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    Notes

    • If the new field name (the target field) is the same as an existing field, the existing field values are replaced by the new values.
    • You cannot use the default field names HOST, COLLECTOR_NAME, or DATA_PATTERN as the value of the target field.

    Related topic

    extract

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.