Search commands

You can perform a search to troubleshoot issues by specifying a search criteria on the Search tab. Your search criteria (search string) can be composed of words, name=value pairs, fields, tags, and so on. For more information, see Searching-the-data. The search string is a set of expressions that are separated by various logical operators such as two ampersands (&&), two pipes (||), and so on. For more information, see Search string syntax.

This topic contains the following information:

Related topics

Where to find more information

Search-command-summary

Searching-the-data

Search-string-syntax

What are search commands?

Search commands are complex search strings available by default with the BMC TrueSight IT Data Analytics product. Search commands are a set of commands containing arguments and can be run on the output of a particular search that you must have already performed. You can chain a set of search commands so that the output of one search command is consumed as the input to the subsequent search command. Multiple search commands can be chained by using a pipe separator (|).

Some of the commands add fields that you can use for further processing your data. For example, when you run the group command, the following fields are automatically added in each of the records displayed:

  • duration
  • numentries
  • group_complete

For other commands such as extract or table, the additional field names are dynamic in nature and are added depending on the input specified. These fields can be used in subsequent commands added to your existing search query.

Note

These fields are virtual fields and cannot be added to the My Fields section on the Filter Pane.

Advantages of using search commands

At a high level, you can use search commands for the following purposes:

  • Performing advanced analysis on your existing search results; for example, simple or complex pattern matching
  • Simplifying your troubleshooting tasks
  • Breaking down your search results into smaller parts
  • Examining your search results from different viewpoints
  • Manipulating your search results by using functions such as filtering and grouping

Use cases

The following example use cases provide scenarios that help you better understand the value of using search commands.

Examples

Scenario 1

John has an application hosted on the cloud. The application web tier is hosted on an Apache HTTPD server, which provides information regarding all URLs accessed. This information is stored in the access.log file.

Goal: John wants to find out which browsers are most used by customers, to decide on the browsers for which support must be continued.

To find out the most used browsers, John needs to use a command that provides a total count of the URLs accessed using the various browsers. Suppose in the data that John is monitoring (access.log), there is a browser field; John can run the stats command with the count function on the browser field.

Action: Run the following search command on the log entries related to the access.log file:

COLLECTOR_NAME=access.log | stats count(browser)

Scenario 2

John wants to create a traffic-light indicator for the cpupercent field (CPU usage) in the following manner and summarize the results in a chart:

  • If CPU usage is from 0 to 5%, mark it with the value GREEN.
  • If CPU usage is from 6 to 50%, mark it with the value YELLOW.
  • If CPU usage is above 50%, mark it with the value RED.

Actions:

  1. Run the following search command to create a new range field with the value GREEN, YELLOW, or RED, depending on the value of the cpupercent field, and then change the range field to CPU_STATUS.
    COLLECTOR_NAME="script_54" | valmap field=cpupercent GREEN=0-5 YELLOW=6-50 RED=51-100 | chgname range with CPU_STATUS
  2. View the values for the CPU_STATUS field in the form of a chart, as described in Viewing the Summarization Chart.

Supported search commands

The following table provides a list of supported search commands for achieving various goals:

Tabular commands

Search commands that provide tabular output are considered as tabular commands, which include the following:

Tabular commands provide a time-series representation of data in the form of a table of statistics and a corresponding chart based on the field or fields specified.

When you run a tabular command, you can see the results summarized in the following views:

Kind of view

Icon

Description 

Tabular View

tabular view.png

Provides a tabular representation of data.

The values displayed in the table are clickable. When you click a value in the table, the tabular view is toggled to the search results view and events associated with those values are displayed.

Chart View 

 

Chart View.png 

 

Provides a graphical representation of data.

Click this view and select one of the following options to view a graphical representation of the search results.

Chart type

Click to preview

(Default) Bar

Search_commands_bar.png

Column

Search_commands_column.png

Line

Search_commands_line.png

The bars displayed in the chart are clickable. When you click a value in the table, the tabular view is toggled to the search results view and events associated with those values are displayed.

Compare View

 Chart View.png

Click this view and select one of the following time ranges to see a comparison of charts; this helps you understand how your current search results differ as compared to the selected time range.

Note: The time difference for the selected time range remains the same as the original search query that was run.

Time range

(Click to see description)

Example

Previous

(Default) Compare current chart with the chart for before the original time range.

Original: Sep 24 2014 5:16 PM - Sep 24 2014 6:16 PM GMT+05:30

Previous: Sep 24 2014 4:16 PM - Sep 24 2014 5:16 PM GMT+05:30

Next

Compare current chart with the chart for after the original time range.

Original: Sep 24 2014 5:16 PM - Sep 24 2014 6:16 PM GMT+05:30

Next: Sep 24 2014 6:16 PM - Sep 24 2014 7:16 PM GMT+05:30

Custom

Compare current chart with the chart for a custom time range.

Note: By using this option, you can only edit the start time and not the end time. This is because the time difference used to compare the original time range and the custom time range needs to be the same.

Original: Sep 24 2014 5:16 PM - Sep 24 2014 6:16 PM GMT+05:30

Custom: Sep 1 2014 5:16 PM - Sep 24 2014 6:16 PM GMT+05:30

Notes about using search commands

  • When you run a search command, if you specify a field name that does not exist, search results that do not contain the field name are not impacted.
  • If you use special characters such as double quotes (") and backslash (\) in your search syntax, you must use a backslash as an escaping character before the special character. For more information, see Escaping characters.
  • Field names are case sensitive.
  • Search commands that rely on fields work only if the specified field is present in the search results.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*