• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 2.7

    Page tree

    This command displays search results that match the specified filter function.

    This topic contains the following information:

    For a list of all search commands, see Search commands.

    Related topics

    extract

    extractkv search command

    table search command

    Getting started with search

    Syntax

    filter <filter-function>

    In the preceding syntax, <filter-function> can be one of the functions described in the following table:

    FunctionSyntaxDescription
    isNotNull
    isNotNull (<field>)

    Uses the field name as an argument and returns true if the field specified is not null (the field exists).

    Note: This function is expected to be deprecated in a future release of the IT Data Analytics product. If you are using this function in one of your saved searches, ensure that you update the saved searches and replace the isNotNull function with the fieldexists function.

    fieldexists
    fieldexists (<field>)

    Uses the field name as an argument and returns true if the field specified is present in the data indexed.

    In other words, if the field specified exists in the data indexed, data containing the field is displayed as search results. On the other hand, if the field specified does not exist, no results are displayed.

    match
    match (<field>, "<string>")

    Uses two arguments: the field name as the first argument and a quoted string as the second argument. Returns true if the field value matches the second argument value irrespective of case.

    matchcasematchcase (<field>, "<string>")

    Uses two arguments: the field name as the first argument and a quoted string as the second argument. Returns true if the field value matches the exact argument value (case is important).

    isNumeric
    isNumeric (<field>)

    Uses the field name as an argument and returns true if the field value is numeric. This function works only for numeric values stored as a string at the time of data-pattern creation.

    greaterthan
    greaterthan (<field>, "<numeric-value>")
    		Uses the field name as an argument and returns true if the field value is greater than the value specified.
    lessthan
    lessthan (<field>, "<numeric-value>")
    		Uses the field name as an argument and returns true if the field value is less than the value specified.
    regexregex (<field>, "<regex>")

    Uses two arguments: the field name as the first argument and a quoted string (a Java regular expression) as the second argument. Returns true if the field value matches the second argument value.

    where,

    <field> refers to the field name.

    "<string>" refers to a regular string literal enclosed in double quotes.

    "<numeric-value>" refers to a number enclosed in double quotes.

    "<regex>" refers to a Java regular expression enclosed in double quotes.

    Short examples

    Example 1: Filter search results containing numeric values for the field ResponseCode.

    ... | filter fieldexists(ResponseCode)

    Example 2: Filter search results that do not contain the field Thread.

    ... | filter fieldexists(Thread)

    Example 3: Filter search results matching the field RequestType with the value GET in a case-insensitive way.

    ... | filter match(RequestType, "GET")

    Example 4: Filter search results matching the field RequestType with the value GET in a case-sensitive way.

    ... | filter matchcase(RequestType, "GET")

    Example 5: Filter search results to display the field RequestType with the value matching the regular expression "....".

    ... | filter regex(RequestType, "....")

    Example 6: Filter search results for the field ResponseCode with a value greater than 400.

    ... | filter greaterThan(ResponseCode, "400")

    Example 7: Filter search results for the field ResponseCode with a value less than 400.

    ... | filter lessThan(ResponseCode, "400")

    Long examples

    The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the filter command.

    Sample data

    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100

    Back to examples ↑

    Sample indexed data

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    isNumeric

    In this example, you use the command to display search results containing numeric values for the field ResponseCode.

    Command

    ... | filter isNumeric(ResponseCode)

    Output

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=PUT
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    fieldexists

    In this example, you use the command to display search results containing the field invalidField.

    If the specified field does not exist in the indexed data, no results are displayed.

    Command

    ... | filter fieldexists(invalidField)

    Output

    No results found

    Back to examples ↑

    match

    In this example, you use the command to display search results matching the field RequestType with the value GET.

    Command

    ... | filter match(RequestType, "GET")

    Output

    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=201 |DATA_PATTERN=MyAccess |RequestType=GET
    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    regex

    In this example, you use the command to display search results if the value of the field RequestType matches the regular expression specified.

    Command

    ... | filter regex(RequestType, "....")

    Output

    In the following output, only results in which the value of the field RequestType contains four characters are displayed according to the regular expression used in the command.

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=200 |DATA_PATTERN=MyAccess |RequestType=POST

    Back to examples ↑

    greaterThan

    In this example, you use the command to display search results in which the value of the field ResponseCode is greater than the value 400.

    Command

    ... | filter greaterThan(ResponseCode, "400")

    Output

    10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 404 100
    HOST=local.bmc.com |COLLECTOR_NAME=u4 |ResponseCode=404 |DATA_PATTERN=MyAccess |RequestType=GET

    Back to examples ↑

    lessThan

    In this example, you use the command to display search results in which the value of the field ResponseCode is less than the value 400.

    Command

    ... | filter lessThan(ResponseCode, "400")

    Output 

    10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 200 100
    HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 200
    HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png
    10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png 
    HTTP/1.1" 201 150
    HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

    Back to examples ↑

    Notes

    • The product supports only Java regular expressions that are compatible with Java Runtime Environment (JRE) version 1.6.
    • The isNumeric function works only for numeric values stored as a string at the time of data-pattern creation.

     

    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.