• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.0

    Page tree

    This command displays search results that match the specified filter function.

    This topic contains the following information:

    For a list of all search commands, see Search commands.

    Syntax

    filter <filter-function>

    In the preceding syntax, <filter-function> can be one of the functions described in the following table:

    ItemSyntaxDescription
    isNotNull
    isNotNull (<field>)
    		Uses the field name as an argument and returns true if the field specified is not null (the field exists).
    match
    match (<field>, "<string>")

    Uses two arguments: the field name as the first argument and a quoted string as the second argument. Returns true if the field value matches the second argument value.

    isNumeric
    isNumeric (<field>)

    Uses the field name as an argument and returns true if the field value is numeric. This function works only for numeric values stored as a string at the time of data-pattern creation.

    greaterthan
    greaterthan (<field>, "<numeric-value>")
    		Uses the field name as an argument and returns true if the field value is greater than the value specified.
    regexregex (<field>, "<regex>")

    Uses two arguments: the field name as the first argument and a quoted string (a Java regular expression) as the second argument. Returns true if the field value matches the second argument value.

    where,

    <field> refers to the field name.

    "<string>" refers to a regular string literal enclosed in double quotes.

    "<numeric-value>" refers to a number enclosed in double quotes.

    "<regex>" refers to a Java regular expression enclosed in double quotes.

    Short examples

    Example 1: Filter search results containing numeric values for the field ResponseCode.

    ... | filter isNumeric(ResponseCode)

    Example 2: Filter search results that do not contain the field Thread.

    ... | filter isNotNull(Thread)

    Example 3: Filter search results matching the field RequestType with the value GET.

    ... | filter match(RequestType, "GET")

    Example 4: Filter search results to display the field RequestType with the value matching the regular expression "....".

    ... | filter regex(RequestType, "....")

    Example 5: Filter search results for the field ResponseCode with a value greater than 400.

    ... | filter greaterThan(ResponseCode, "400")

    Long examples

    The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the filter command.

    Sample data

    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100

    Back to examples ↑

    Sample indexed data

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    isNumeric

    In this example, you use the command to display search results containing numeric values for the field ResponseCode.

    Command

    ... | filter isNumeric(ResponseCode)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=PUT
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    isNotNull

    In this example, you use the command to display search results containing the field invalidField.

    If the specified field does not exist in the indexed data, no results are displayed.

    Command

    ... | filter isNotNull(invalidField)

    Output

    No results found

    Back to examples ↑

    match

    In this example, you use the command to display search results matching the field RequestType with the value GET.

    Command

    ... | filter match(RequestType, "GET")

    Output

    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    regex

    In this example, you use the command to display search results if the value of the field RequestType matches the regular expression specified.

    Command

    ... | filter regex(RequestType, "....")

    Output

    In the following output, only results in which the value of the field RequestType contains four characters are displayed according to the regular expression used in the command.

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST

    Back to examples ↑

    greaterThan

    In this example, you use the command to display search results in which the value of the field ResponseCode is greater than the value 400.

    Command

    ... | filter greaterThan(ResponseCode, "400")

    Output

    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    Notes

    • The product supports only Java regular expressions that are compatible with Java Runtime Environment (JRE) version 1.6.
    • The isNumeric function works only for numeric values stored as a string at the time of data-pattern creation.

    Related topics

    extract

    extractkv

    table

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.