Page tree

You can perform a search to troubleshoot issues by specifying a search criteria on the Search tab. Your search criteria (search string) can be composed of words, name=value pairs, fields, tags, and so on. For more information, see Searching the data. The search string is a set of expressions that are separated by various logical operators such as two ampersands (&&), two pipes (||), and so on. For more information, see Search string syntax.

Search commands are complex search strings available by default with the BMC TrueSight IT Data Analytics product. Search commands are a set of commands containing arguments and can be run on the output of a particular search that you must have already performed. You can chain a set of search commands so that the output of one search command is consumed as the input to the subsequent search command. Multiple search commands can be chained by using a pipe separator (|).

Some of the commands add fields that you can use for further processing your data. For example, when you run the group command, the following fields are automatically added in each of the records displayed:

  • duration

  • numentries

  • group_complete

For other commands such as extract or table, the additional field names are dynamic in nature and are added depending on the input specified. These fields can be used in subsequent commands added to your existing search query.


These fields are virtual fields and cannot be added to the My Fields section on the Filter Pane.

This topic contains the following information:

Use cases

At a high level, you can use search commands for the following purposes:

  • Performing advanced analysis on your existing search results; for example, simple or complex pattern matching
  • Simplifying your troubleshooting tasks
  • Breaking down your search results into smaller parts
  • Examining your search results from different viewpoints
  • Manipulating your search results by using functions such as filtering and grouping

The following example use cases provide scenarios that help you better understand the value of using search commands.


Scenario 1

John has an application hosted on the cloud. The application web tier is hosted on an Apache HTTPD server, which provides information regarding all URLs accessed. This information is stored in the access.log file.

Goal: John wants to find out which browsers are most used by customers, to decide on the browsers for which support must be continued.

To find out the most used browsers, John needs to use a command that provides a total count of the URLs accessed using the various browsers. Suppose in the data that John is monitoring (access.log), there is a browser field; John can run the stats command with the count function on the browser field.

Action: Run the following search command on the log entries related to the access.log file:

COLLECTOR_NAME=access.log | stats count(browser)

Scenario 2

John wants to create a traffic-light indicator for the cpupercent field (CPU usage) in the following manner and summarize the results in a chart:

  • If CPU usage is from 0 to 5%, mark it with the value GREEN.
  • If CPU usage is from 6 to 50%, mark it with the value YELLOW.
  • If CPU usage is above 50%, mark it with the value RED.


  1. Run the following search command to create a new range field with the value GREEN, YELLOW, or RED, depending on the value of the cpupercent field, and then change the range field to CPU_STATUS.
    COLLECTOR_NAME="script_54" | valmap field=cpupercent GREEN=0-5 YELLOW=6-50 RED=51-100 | chgname range with CPU_STATUS
  2. View the values for the CPU_STATUS field in the form of a chart, as described in Viewing the Summarization Chart.

Supported search commands

The following table provides a list of supported search commands for achieving various goals:


  • When you run a search command, if you specify a field name that does not exist, search results that do not contain the field name are not impacted.
  • If you use special characters such as double quotes (") and backslash (\) in your search syntax, you must use a backslash as an escaping character before the special character. For more information, see Escaping characters.
  • Field names are case sensitive.

  • Search commands that rely on fields work only if the specified field is present in the search results.

What do I want to do?Supported search commandDescription

Manipulate search results by performing the following functions:

  • Group
  • Order
  • Filter
fieldsKeep or remove fields in search results.
filterFilter results based on a criteria condition.
topGet the most common values of a field.
rareGet the least common values of a field.

Return the first n search results based on sort order. The head command returns the last n entries for descending results.


Return the last n search results. The tail command returns the first n entries for descending results.

Perform first-level analysis such as the following:

  • Simple pattern matching
  • Comparison
  • Basic statistics
chgnameChange the name of a field.
chgvalueArrange values into buckets based on user-defined ranges.
concatConcatenate field values (or string values) and assign them to the specified target field
difftimeCompute the difference between the current time stamp and the event time stamp and assign the value to a new "difftime" field.
evalEvaluate an expression (a field name along with a specified operation) and assign the resulting value to a new field; for example, change the case of a field value, split a field value, and copy portions of a field value.
extractExtract field values or raw event data and assign the values or data to new fields by using the Java regular expression capturing groups.
extractkvExtract name=value pairs from raw event data depending on the delimiters specified.
statsCreate an aggregate representation of data in the form of a table of statistics and a corresponding chart based on the fields specified.
tableExtract fields from events with information in a tabular format.
valmapClassify numeric field values with a specified category name depending on the range specified.
Present (or report) data quickly by specifying a search string.timechartCreate a time-series representation of data in the form of a table of statistics and a corresponding chart based on the fields specified.

Perform advanced analysis such as the following:

  • Statistical analysis
  • Complex pattern matching
groupGroup events depending on the group options (conditions) specified to create a transaction of events.