• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.1

    Page tree

    This search command extracts fields from events with information in a tabular format. A new event is created for each table row. Field names are derived from the title row of the table. Optionally, you can specify a list of fields that you want to further extract and keep from the given list of all fields. You can also filter search results to keep records that match the specified filter criteria.

    If you do not specify fields, all fields extracted are displayed. Furthermore, if you do not specify a filter criterion, all data extracted is displayed along with the extracted fields.

    This topic contains the following information:

    For a list of all search commands, see Search commands.

    Related topics

    fields

    Searching the data

    Syntax

    table [fields <field-list>+] [filter <filter-criterion>+]

    In the preceding syntax,the following definitions apply:

    • + indicates one or more similar expressions separated by a comma (,) or space.
    • [expression] indicates it is optional.
    • <field-list> refers to a list of space-separated fields that you want to keep in the search results. This parameter is optional.
    • <filter-criterion> refers to a list of space-separated values (data entry) by which you want to filter, to show in the search results. This parameter is optional.

    Short examples

    Example 1: Extract the column headings that appear in the raw data as fields and create a new data entry for each row.

    ... | table 

    Example 2: Extract the  PID, USER, %CPU, and CMD fields.

    ... | table fields PID USER %CPU CMD

    Example 3: Extract the PID, USER, %CPU, and CMD fields when they occur in rows that contain the "itda" raw-data entry.

    ... | table fields PID USER %CPU CMD filter itda

    Long examples

     The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the table command.

    Sample data

    Wed Jun  4 08:16:38 CDT 2014
      PID USER     %CPU     RSS     VSZ CMD
        1 root      0.0    1416   19364 /sbin/init
        4 root      0.0       0       0 [ksoftirqd/0]
      418 root      0.0     416   10944 /sbin/udevd -d
      705 root      0.0       0       0 [vmmemctl]
     1611 root      0.0     636    9120 /sbin/dhclient
     3251 root      0.0    3932  144556 /bin/rscd
     3288 root      0.0     528    4064 /sbin/mingetty /dev/tty2
    15646 root      0.0   29504  493824 konsole
    15649 root      0.0    2368  108956 /bin/bash
    17764 root      0.0   18376  396656 /usr/bin/knotify4
    22220 root      1.3 1433560 2444112 itda_indexer
    22222 root      1.0  578668 2284768 itda_station
    22225 root      2.4  761484 2765776 itda_server
    22227 root      0.3  149836 1861804 itda_database

    Back to examples ↑

    Sample indexed data

    Wed Jun  4 08:16:38 CDT 2014
      PID USER     %CPU     RSS     VSZ CMD
        1 root      0.0    1416   19364 /sbin/init
        4 root      0.0       0       0 [ksoftirqd/0]
      418 root      0.0     416   10944 /sbin/udevd -d
      705 root      0.0       0       0 [vmmemctl]
     1611 root      0.0     636    9120 /sbin/dhclient
     3251 root      0.0    3932  144556 /bin/rscd
     3288 root      0.0     528    4064 /sbin/mingetty /dev/tty2
    15646 root      0.0   29504  493824 konsole
    15649 root      0.0    2368  108956 /bin/bash
    17764 root      0.0   18376  396656 /usr/bin/knotify4
    22220 root      1.3 1433560 2444112 itda_indexer
    22222 root      1.0  578668 2284768 itda_station
    22225 root      2.4  761484 2765776 itda_server
    22227 root      0.3  149836 1861804 itda_database
    HOST=local.bmc.com |COLLECTOR_NAME=u4

    Back to examples ↑

    table

    In this example, you use the command to extract fields from the event data that appears in a tabular format.

    The table column names are displayed as fields, and a separate record is created for each row in the table.

    Command

    ... | table

    Output

    22227 root 0.3 149836 1861804 itda_database
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_database|VSZ=1861804|PID=22227|%CPU=0.3|RSS=149836|USER=root
    22225 root 2.4 761484 2765776 itda_server
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_server|VSZ=2765776|PID=22225|%CPU=2.4|RSS=761484|USER=root
    22222 root 1.0 578668 2284768 itda_station
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_station|VSZ=2284768|PID=22222|%CPU=1.0|RSS=578668|USER=root
    22220 root 1.3 1433560 2444112 itda_indexer
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=itda_indexer|VSZ=2444112|PID=22220|%CPU=1.3|RSS=1433560|USER=root
    17764 root 0.0 18376 396656 /usr/bin/knotify4
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/usr/bin/knotify4|VSZ=396656|PID=17764|%CPU=0.0|RSS=18376|USER=root
    15649 root 0.0 2368 108956 /bin/bash
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/bin/bash|VSZ=108956|PID=15649|%CPU=0.0|RSS=2368|USER=root
    15646 root 0.0 29504 493824 konsole
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=konsole|VSZ=493824|PID=15646|%CPU=0.0|RSS=29504|USER=root
    3288 root 0.0 528 4064 /sbin/mingetty /dev/tty2
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/mingetty|VSZ=4064|PID=3288|%CPU=0.0|RSS=528|USER=root
    3251 root 0.0 3932 144556 /bin/rscd
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/bin/rscd|VSZ=144556|PID=3251|%CPU=0.0|RSS=3932|USER=root
    1611 root 0.0 636 9120 /sbin/dhclient
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/dhclient|VSZ=9120|PID=1611|%CPU=0.0|RSS=636|USER=root
    705 root 0.0 0 0 [vmmemctl]
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=[vmmemctl]|VSZ=0|PID=705|%CPU=0.0|RSS=0|USER=root
    418 root 0.0 416 10944 /sbin/udevd -d
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/udevd|VSZ=10944|PID=418|%CPU=0.0|RSS=416|USER=root
    4 root 0.0 0 0 [ksoftirqd/0]
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=[ksoftirqd/0]|VSZ=0|PID=4|%CPU=0.0|RSS=0|USER=root
    1 root 0.0 1416 19364 /sbin/init
    HOST=myhost |COLLECTOR_NAME=up_table |CMD=/sbin/init|VSZ=19364|PID=1|%CPU=0.0|RSS=1416|USER=root

    Back to examples ↑

    table with fields

    In this example, you use the command to extract the PID, USER, %CPU, and CMD fields.

    Command

    ... | table fields PID USER %CPU CMD

    Output

    22227 root 0.3 149836 1861804 itda_database
    HOST=myhost |COLLECTOR_NAME=up_table |PID=22227|USER=root|%CPU=0.3|CMD=itda_database
    22225 root 2.4 761484 2765776 itda_server
    HOST=myhost |COLLECTOR_NAME=up_table |PID=22225|USER=root|%CPU=2.4|CMD=itda_server
    22222 root 1.0 578668 2284768 itda_station
    HOST=myhost |COLLECTOR_NAME=up_table |PID=22222|USER=root|%CPU=1.0|CMD=itda_station
    22220 root 1.3 1433560 2444112 itda_indexer
    HOST=myhost |COLLECTOR_NAME=up_table |PID=22220|USER=root|%CPU=1.3|CMD=itda_indexer
    17764 root 0.0 18376 396656 /usr/bin/knotify4
    HOST=myhost |COLLECTOR_NAME=up_table |PID=17764|USER=root|%CPU=0.0|CMD=/usr/bin/knotify4
    15649 root 0.0 2368 108956 /bin/bash
    HOST=myhost |COLLECTOR_NAME=up_table |PID=15649|USER=root|%CPU=0.0|CMD=/bin/bash
    15646 root 0.0 29504 493824 konsole
    HOST=myhost |COLLECTOR_NAME=up_table |PID=15646|USER=root|%CPU=0.0|CMD=konsole
    3288 root 0.0 528 4064 /sbin/mingetty /dev/tty2
    HOST=myhost |COLLECTOR_NAME=up_table |PID=3288|USER=root|%CPU=0.0|CMD=/sbin/mingetty
    3251 root 0.0 3932 144556 /bin/rscd
    HOST=myhost |COLLECTOR_NAME=up_table |PID=3251|USER=root|%CPU=0.0|CMD=/bin/rscd
    1611 root 0.0 636 9120 /sbin/dhclient
    HOST=myhost |COLLECTOR_NAME=up_table |PID=1611|USER=root|%CPU=0.0|CMD=/sbin/dhclient
    705 root 0.0 0 0 [vmmemctl]
    HOST=myhost |COLLECTOR_NAME=up_table |PID=705|USER=root|%CPU=0.0|CMD=[vmmemctl]
    418 root 0.0 416 10944 /sbin/udevd -d
    HOST=myhost |COLLECTOR_NAME=up_table |PID=418|USER=root|%CPU=0.0|CMD=/sbin/udevd
    4 root 0.0 0 0 [ksoftirqd/0]
    HOST=myhost |COLLECTOR_NAME=up_table |PID=4|USER=root|%CPU=0.0|CMD=[ksoftirqd/0]
    1 root 0.0 1416 19364 /sbin/init
    HOST=myhost |COLLECTOR_NAME=up_table |PID=1|USER=root|%CPU=0.0|CMD=/sbin/init

    Back to examples ↑

    table with fields and filter

    In this example, you use the command to extract the PID, USER, %CPU, and CMD fields when the fields occur in records that contain itda.

    Command

    ... | table fields PID USER %CPU CMD filter itda

    Output

    22227 root 0.3 149836 1861804 itda_database
    HOST=myhost |COLLECTOR_NAME=up_table|PID=22227|USER=root|%CPU=0.3|CMD=itda_database
    22225 root 2.4 761484 2765776 itda_server
    HOST=myhost |COLLECTOR_NAME=up_table|PID=22225|USER=root|%CPU=2.4|CMD=itda_server
    22222 root 1.0 578668 2284768 itda_station
    HOST=myhost |COLLECTOR_NAME=up_table|PID=22222|USER=root|%CPU=1.0|CMD=itda_station
    22220 root 1.3 1433560 2444112 itda_indexer
    HOST=myhost |COLLECTOR_NAME=up_table|PID=22220|USER=root|%CPU=1.3|CMD=itda_indexer

    Back to examples ↑

    Notes

    • For this command to produce the desired results, the data must contain rows that are separated by a new-line separator (\n).
    • The command assumes that columns in the data are separated by a space character ( ).
    • If data entries that appear in the columns contain a space character ( ), the command might not function properly.
    • If a column name in the event data contains a space, each word in the column name is treated as a separate column name.
      For example, if you have three columns in the data (HOST, Request Type, and COLLECTOR_NAME), then Request and Type are considered as separate column names, and the data under column COLLECTOR_NAME is considered to be data for column Type (leaving the column COLLECTOR_NAME with no values).

     

    © Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.