Use the eval command to calculate the value of an expression and display the value in a new field.
For examples of using this command in typical scenarios, see:
- Rename the Fields by Editing the Query in Using Oracle Log Analytics
- Histogram Chart Options in Using Oracle Log Analytics
- Visualize Time Series Data Using the Link Trend Feature in Using Oracle Log Analytics
- Generate Charts with Virtual Fields in Using Oracle Log Analytics
- Link by Using SQL Statement as the Field of Analysis in Using Oracle Log Analytics
- Analyze the Time Taken Between Steps in a Transaction in Using Oracle Log Analytics
- Use Link Navigation Functions to Identify Events in a Database in Using Oracle Log Analytics
- Use the Currency Symbols in Your Log Analysis in Using Oracle Log Analytics
Following are some examples of the eval command.
*|eval newField = 'foo'*|eval newField = 123*|eval newField = upper[Target]*|eval newField = length['hello world']*|eval newField = replace['aabbcc', 'bb', 'xx']*|eval newField = concat[host, concat [':', port]]*|eval newField = host || ':'|| port*|eval newField = url['Destination URL']*|eval newField = substr['aabbcc', 2, 4]*|eval newField = round[123.4]*|eval newField = unit['Content Size', KB]eval 'File Size [bytes]' = unit['File Size', 'byte'] eval 'File Size [KB]' = unit['File Size'/1024, 'kb']eval 'File Size [MB]' = unit['File Size'/[1024*1024], 'mb']eval 'Time Taken [Sec]' = unit['Time Taken [ms]'/1000, 'SEC']*|eval newField = floor[4096/1024]+Length*|eval newField = if [max[Length][Target], length[Severity]] = 5,"1 Very Safe",x_wbrs_score >= 3,"2 Safe",
x_wbrs_score >= 0,"3 Neutral",
x_wbrs_score >= -5,"4 Dangerous",
x_wbrs_score < -5, "5 Very Dangerous"]
Search string #2
index=sales sourcetype=vendor_sales
| eval
SalesTerritory =
if [[VendorID >= 7000 AND VendorID < 8000], "Asia", "Rest of the World"]
1. case function
2. if function
The _____ command calculates an expression and puts the resulting value into a search results field.
eval
Unlike the eval "command" [which calculates an expression and puts the resulting value into a search results field], the eval "____" counts the number of events that have a specific field value.
What function must be used along with the eval "____"?
Note: Same answers for the blank spaces.
function
count
True or False. Field values ARE case sensitive when using the eval "FUNCTION."
True
Which command is described below? The "search" command, or the "where" command?
1. Can be used at any point in the search pipeline
2. Allows searching on keywords
3. Treats field values in a "case insensitive" manner
search
Is the "search" command, or the "where" command being described below?
1. Functions are available, such as isnotnull[]
2. Can’t appear before first pipe in search pipeline
3. Can’t filter with keywords
3. Treats field values in a "case-sensitive" manner
4. Can
compare values from two different fields
where
Which command is used here? Also describe what is happening?
source=job_listings | where salary > industry_average
"where" command
retrieves jobs listings and discards those whose salary is not greater than the industry average
When using the "like" operator with the "where" command, you must use [_] for __ character and
[%] for _____ characters.
Note: The blank spaces should be filled with quantities [i.e. one, a couple, multiple]
one
multiple
What where command operator is being used in the following search string?
index=security sourcetype=linux_secure
| where like [user,"adm%"]
| dedup user
| table user
like
When using the "where" command, use _____ to find events with an empty value for a specific field, and ____ to find events that contain a non-empty value for a particular field. On the other hand, _____ should be used to replace null values in fields.
a. fillnull
b. isnull
c. isnotnull
b. isnull
c. isnotnull
a. fillnull
Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.
a. |eval {velocity} = Value, distance OVER time
b. |eval velocity=distance/time
c. |eval velocity=split[distance,time]
b. |eval velocity=distance/time
If you use the following eval command with the round[] function, select a possible result:
|eval bandwidth
= round[Bytes/pow[1024,2], 2]
a. 28
b. 124.032
c. 273.02
c. 273.02
The eval command supports comparison and conditional functions. Select all that apply.
a. case
[X1,"Y1",X2,"Y2",…]
b. if [X,Y,Z]
c. like [TEXT,PATTERN]
d. tostring[X,Y]
a. case [X1,"Y1",X2,"Y2",…]
b. if [X,Y,Z]
If you want to use the fillnull command and show a specific text, which syntax would be correct?
a. |
fillnull value="nada"
b. | fillnull NULL=nada
c. | fillnull 0 as nada
a. | fillnull value="nada"
The ____ command groups related events that meet various constraints. The events are grouped into ____, which are collections of events, possibly from multiple sources.
Note: Same answer for both blank spaces.
transaction
The following are common ____ that are used when the transaction command is used:
maxspan
maxpause
startswith
endswith
constraints
What command would you use at any point in the search pipeline to filter the transactions created by the transaction command?
search command
The transaction command produces two fields:
1. ____: difference between the timestamps for the first and last events in the transaction.
2. ____: number of events in the transaction.
duration
eventcount
When using the transaction command, you can define a max overall time span and max gap between events.
Which definition describes maxspan, and which describes maxpause?
_____ is the maximum total time between events
_____ is the maximum total time between the
earliest and latest
events
maxpause
maxspan
What would the following indicate in an event where the transaction command is used?
maxspan=5m
The maximum total time between the first and last event of all of the transactions combined should be no more than 5 minutes.
To form transactions based on terms, field values, or evaluations, use ____ and ___ options. For example, if you were determining how long it took for customers to complete a purchase online over the last 24 hours you might want the FIRST event in your transactions to include "addtocart" and the LAST event to include "purchase."
startswith
endswith
_____ can be useful when a single event does not provide enough information.
transactions
True or False. You can use statistics and transforming commands with transactions.
True
When you have a choice, would you use the transaction or stats command? Why?
stats
it's more efficient
Which of the following definitions describe the stats command? Which definition describes the transaction command?
The ____ command when you:
• Need to see events correlated together
• Must define event grouping based on start/end values or segment on time
The ____ command when you:
• Want to see the results of a calculation
• Can group events based on a field value [e.g., by src_ip]
transaction
stats
There is a limit of ____ events when using the ____ command. However there is no limit when using the ____ command.
Note:
first blank: #
second and third blanks: pick transaction or stats
1,000
transaction
stats
What’s the maximum number of events that can be grouped per transaction?
a. 100 events
b. 1,000 events
c. 10,000 events
b. 1,000 events
What are the options that can be used to constrain transactions? Select all that apply.
a. startswith
b. endswith
c. maxspan
d. maxpause
c.
maxspan
d. maxpause
Which fields are created by the transaction command? Select all that apply.
a. duration
b. memcontrol
c. eventcount
d. txn_definitions
a. duration
c. eventcount
What are tools you use to discover and analyze various aspects of your data?
knowledge objects
Data interpretation, data classification, data enrichment, normalization and data sets are all different types of what?
knowledge objects
Which knowledge object deals with fields and field extractions?
a. data classification
b. data sets
c. data interpretation
d. data
enrichment
c. data interpretation
Which knowledge object deals with event types?
a. data classification
b. data sets
c. data interpretation
d. data enrichment
a. data classification
This type of knowledge object consists of lookups and workflow actions.
a. data classification
b. data sets
c. data interpretation
d. data enrichment
d. data enrichment
This type of knowledge object deals with tags and field aliases.
a. data classification
b. data sets
c. data interpretation
d. data enrichment
e. normalization
e. normalization
This type of knowledge object contains data models.
a. data classification
b. data sets
c. data interpretation
d. data enrichment
e. normalization
b. data sets
____ ___ are also persistent objects that can be used by multiple people or apps, such as macros and reports.
knowledge objects
A Knowledge Object Manager could be any of the 3 Splunk roles, but a person usually has to at least be a ______.
a. user
b. admin
c. power user
c. power user
Select all knowledge objects.
a. lookups
b. field aliases
c.
users
d. workflow actions
a. lookups
b. field aliases
d. workflow actions
Splunk knowledge objects are persistent objects that can be used by multiple ________. Select all that apply.
a. users
b. apps
c. searches
a. users
b. apps
Search-time operations are always applied in the same order when generating knowledge objects. Use the following information to put search time operation in the correct order.
a. Lookups
b. Calculated fields
c.
Tags
d. Extractions
e. Field aliases
f. Event types
d. Extractions
e. Field aliases
b. Calculated fields
a. Lookups
f. Event types
c. Tags
Field aliases are applied after __________, before ___________. Select all that apply.
a. lookups, field extractions
b. field extractions, lookups
c. field extractions, tags
b. field extractions, lookups
c. field extractions, tags
Prior to search time in Splunk, some fields are already stored with the
event in the index. ____ fields, such as host, source, and sourcetype, and ____ fields such as _time and _raw are those fields. However at search time, ____ _____extracts fields from raw event data,
including those directly related to the search’s results. Use the following answers to fill in the blanks.
a. internal
b. field discovery
c. meta
c. meta
a. internal
b. field discovery
In addition to the many fields Splunk auto-extracts, you can also extract your own fields with the ____ ____.[FX]
Field Extractor
You can use ___ __ to extract fields that are static and that you use often in searches.
Field Extractor
You can extract fields in FX from events using ____ and ____.
regex, delimiter
The are two extraction methods in Splunk. The first, ____ is used when your event contains unstructured data like a system log file. The second, ____ is used when your event contains structured data like a .csv file.
regex, delimiter
You would use _____ field extractions when a consistently structured log has values that are separated by spaces, commas, or characters.
delimited
Use _________ field extractions when fields are separated by spaces, commas, or characters.
a. delimited
b. regex
c. rename
a. delimited
There are three ways to get to the Field Extractor [FX]. Select all that apply.
a. Event Actions menu
b. Fields sidebar
c. Settings menu
d. Auto-Extract Fields Workflow
a. Event Actions menu
b. Fields sidebar
c. Settings menu
Use ___ ____ to extract fields that are static and that you use often in searches including:
-Graphical UI
-Extract fields from events using regex or delimiter
-Extracted fields persist as knowledge objects
-Can be shared and re-used in multiple searches
Field Extractor
When using regex for field extraction, what's the first thing you have to do in the Field Extractor?
a. Select a value to extract
b. Provide a Field Name
c. Edit the regular expression
d. Set the Extractions Name
a. Select a value to extract
____ ___ are a way to associate an additional [new] name with an existing field name, like a nickname [possibly for normalization purposes], and are evaluated by the “search parser” after field extractions, before ____.
field aliases
lookups
Many source types contain some type of user name. In order to make data correlation and searching easier, you can normalize the username field by using a ____ ____.
field alias
Put the following steps for creating a field alias in Splunk in sequential order:
a. Fields
b. New Field Alias
c. Settings
d. Field Aliases
c. Settings
a. Fields
d. Field Aliases
b. New Field Alias
True or False. A new field alias is required for each sourcetype.
True
True or False. When you create a field alias, the original field IS affected.
False. The original field is not affected.
True or False. When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least 20% of events.
True
When you create a field alias, both fields appear in the all fields and Interesting Fields lists, if they appear in at least ____% of events.
20%
After you have defined your field aliases, you can reference them in a ____ table.
lookup
____ fields are shortcuts for performing repetitive, long, or complex transformations using the eval command. ____ fields must be based on an extracted field.
Note: Answer for both blanks are the same.
calculated
When you create a field alias, the default behavior is that the original field is:
a. overwritten
b. not affected
c. cached
b. not affected
When you create a calculated field, the field in the expression must be __________.
a. an extracted field
b. a lookup table
c. field/column generated from within
a. an extracted field
____ fields reference field aliases. ___ ____ are created to rename an existing field extraction.
calculated fields, field aliases
Can you, or can't you do the following?
1. Create a field alias that references a calculated field
2. Create a calculated field that references a field added through a lookup operation
you CAN'T
A ___ is a knowledge object that enables you to search for events that contain specific field/value combinations. They are like labels that you create for field/value pairs, and make your data more understandable and less ambiguous.
tag
Are tags case sensitive or case insensitive?
case sensitive
To search for a tag associated with a value you would type:
a. =
b. Use [*] wildcard
c. tag=
c. tag=
To search for a tag associated with a value on a specific field you would type:
a. tag::=
b. Use [*] wildcard
c. tag=
a. tag::=
To search for a tag using a partial field value you would:
a. =
b. Use [*] wildcard
c. tag=
b. Use [*] wildcard
In order to manage tags [such as edit permissions and disable all tags for pairs] you would use the _____ ___ ____ ___ ____ menu.
Note: Answer contains 5 words.
List by Field Value Pair
How would you change a tag name?
a. by editing permissions
b. by first clicking on the field
value pair
c. by typing "tag="
b. by first clicking on the field value pair
An ___ type is a method of categorizing events based on a search.
event
Can event types be tagged?
Yes, to group similar type of events
What do you use to create event types?
Event Type Builder
These are the two ways that you can ____ event types:
1. Settings > Event types
2. Event details > Actions
tag
___ ____categorize events based on a search string.
Event types
If you tag the field value of your home office’s IP address as ‘homeoffice’, what events are returned when you search for tag=homeoffice?
a. events with that IP address
b. events from _internal
c. field lookup table
a. events with that IP address
To search for a tag associated with a value on a specific field, select the correct search string.
a. tag::user=privileged
b. tag=user==privileged
c. tag=user::privileged
a. tag::user=privileged
Which of the following are ways you can create an event type. Select all that apply.
a. Settings > Event types
b. Run a search, and save as Event Type
c. From event details, select Event Actions > Build Event Type
b. Run a search, and save as Event Type
_____ are useful when you frequently run searches or reports with similar search syntax, and can be a full search string or a portion of a search that can be reused in multiple places.
macros
In order to use a basic macro, you need to do the following:
1. Type the macro name into the search bar
2. Surround the macro name with the ______ [or grave accent] character... NOT single quotes
backtick
monthly_sales[3]
The Splunker that typed the above is trying to add an argument to a macro. What have they done first in order to get the process started?
added the number of arguments in parentheses after the macro name
Within a search, macro _____ should look like the following examples:
$currency$
[which would be the argument for currency]
$symbol$
[which would be the argument for symbol]
$rate$
[which would be the argument for rate]
arguments
When using a macro with arguments, you have to include the argument[s] in _____ following the macro name and list them in the EXACT SAME order that you listed them when creating the macro.
parentheses
When working with macros, the time range is _____________.
a. Always set to Last 24 hours
b. Selected at search time
c. Always set to All time
b. Selected at search time
When adding arguments to a macro, include the number of arguments in _____________.
a. Parentheses after the macro name
b. Parentheses before the macro name
c. Dollar signs within the search definition
a. Parentheses after the macro name
Surround the macro name with the _______ when executing a macro.
a. Dollar signs
b. Backtick character
c. Single quote character
b. Backtick character
You can execute ____ ____ from an event or field in your search results to interact with external resources or run another search.
workflow actions
______ workflow actions retrieve information from an external resource.
a. POST
b. GET
c. Search
a. GET
______ workflow actions send field values to an external resource.
a. POST
b. GET
c. Search
a. POST
______ workflow actions use field values to perform a secondary search.
a. POST
b. GET
c. Search
c. Search
Do GET workflow actions have spaces or special characters?
No
In order to create GET and POST workflow actions, you have to enter the _____ [this is an acronym] for where the user will be directed. What does the acronym stand for?
URI [Uniform Resource Identifier]
To perform a secondary search, use a _______ workflow action.
a. Search
b. POST
c. GET
a. Search
Which workflow actions require you to specify if the behavior should open in a new window or current window? Select all that apply.
a. Search
b. POST
c. GET
a. Search
b. POST
c. GET
_____ is used for creating dashboards, and its reports are based on datasets.
Pivot
Hierarchically structured datasets used in Pivot that contain searches and fields are called _____ _____ [two words]. Each event, search, or transaction is saved as a separate ______ [one word].
data models
data set
The following are the 3 types of ____ that a data model can consist of.
Events
Searches
Transactions
datasets
Which type of dataset contains constraints and fields?
a. Events
b. Transactions
c. Searches
a. Events
_____ in "event" datasets are essentially a search broken down into a hierarchy. ____ are associated with the events.
constraints
fields
Dataset fields are inherited from ____ ____.
a. data models
b. parent objects
c. root events
a. parent objects
The inherited attributes in the root event of a data model are called _____ fields.
default
You can add fields to a dataset through the auto-extracted menu, eval expression, lookup, regular expression and Geo IP. Which of the following is described below?
can be default fields or manually extracted fields...
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
b. auto-extracted
Which method of adding fields to a data set is described below?
leverage an existing lookup table...
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
a. lookup
Which method of adding fields to a data set is described below?
add geographical fields such as latitude/longitude, country, etc. ...
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
c. Geo IP
Which method of adding fields to a data set is described below?
a new field based on an expression that you define...
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
e. eval expression
Which method of adding fields to a data set is described below?
extract a new field based on regex...
a. lookup
b. auto-extracted
c. Geo IP
d. regular expression
e. eval expression
d. regular expression
This tool in the Splunk platform allows you to examine the overall stats of your search, examine how your search was processed and see where Splunk spent its time. You can use this tool to troubleshoot a search’s performance and understand impact of knowledge objects on processing.
Search Job Inspector Tool
The 3 components of the Search Job Inspector tool are [select all that apply]:
a. Header
b. Field Name
c. Execution costs
d. Search job properties
e. Tags
a. Header
c. Execution
cost
d. Search job properties
This component of the Job Search Inspector tool in Splunk provides basic information, including time to run and # of events scanned.
Header
This component of the Job Search Inspector tool provides details on cost to retrieve results, such as:
command.search.index
command.search.filter
command.search.rawdata
Execution Costs
The chart and timechart commands automatically filter results to include how many of the highest values?
a. fifteen
b. ten
c. five
b. ten
After the chart and timechart commands automatically filter results to include the ten highest values, surplus values are grouped into...
a. other
b. null
c. not
a. other
A ____ allows you to overlay a computed moving average on a chart. An example of one of these are stock market visualizations.
trendline
____ reports are used for creating reports and dashboards. They are also based on datasets.
Pivot
___ ____ are hierarchically structured datasets containing searches and fields. Each event, search, or transaction is saved as a separate dataset.
data models
A data model can consist of 3 types of datasets. Select answers from below.
a. events
b. field values
c. searches
d. field names
e. lookups
f. transactions
a. events
c. searches
f. transactions
Which type of dataset that's used in Pivot contain constraints and fields?
a. events
b. field values
c. searches
d. field names
e. lookups
f. transactions
a. events
In data models events, ____ are search terms used to further narrow your search, while fields are associated with the events.
constraints
You can add more fields when creating a data model. There are four types of fields that you can add. Read the descriptions below and match the fields below with the correct description.
1. a new field based on an expression that you define
2. geographical fields such as latitude/longitude, country, etc.
3. default fields or manually extracted fields
4. a new field based on regex
5. leverage an existing lookup table
a. Auto-Extracted
b. Eval Expression
c. Lookup
d. Regular
Expression
e. Geo IP
b. Eval Expression
e. Geo IP
a. Auto-Extracted
d. Regular Expression
c. Lookup
Which type of Pivot dataset defines a dataset based on a search that includes transforming commands?
a. event
b. field
value
c. search
d. field name
e. lookup
f. transaction
c. search
Which type of Pivot dataset defines a dataset based on a transaction?
a. event
b. field value
c. search
d. field name
e. lookup
f. transaction
f. transaction
A ___ event dataset represents a set of data that is defined by a constraint: a simple search that filters out events that aren't relevant to the dataset.
root
____ views allows you to create table datasets without using SPL.
table
The Splunk ______ _____ _____ [CIM] provides a methodology to normalize data
Common Information Model
____ is leveraged when creating field extractions, field aliases, event types, and tags to ensure:
1. Multiple apps can co-exist on a single Splunk deployment
2. Object permissions can be set to global for the use of multiple apps
3. Easier and more efficient correlation of data from different sources and source types
CIM [Common Information Model]
True or False. If other apps in a Splunk environment are CIM compliant, then data is normalized across apps, making it easier to search for similar data.
True
True or False. If other apps in a Splunk environment are NOT CIM compliant, then field aliases, tags, and event types can be used to normalize data
True
The Splunk CIM Add-on has a set of ___ pre-configured data models.
Note: Answer is a number
26
The ____ should be leveraged so that knowledge objects in multiple apps can co-exist on a single Splunk deployment.
CIM or Common Information Model
What commands can be used to retrieve data from a specified data model dataset? Choose the answers below.
a. fields
b. transforming
c. from
d. datamodel
c. from
d. datamodel
The CIM ___ and ___ commands are generating commands, meaning that they have to be the first command in the pipeline.
a. fields
b. transforming
c. from
d. datamodel
c. from
d.
datamodel
The Common Information Model ____ command retrieves data from a named dataset, saved search, report or lookup file.
a. from
b. datamodel
a. from
The Common Information Model ____ command allows users to examine data models and search data model datasets.
a. from
b. datamodel
b. datamodel
Select the available ways you can validate against a data model. Select all that apply.
a. | datamodel
b. Pivot
c. | transaction
d. Workflow actions
a. | datamodel
What are the primary knowledge objects the CIM includes or relies upon? Select all that apply.
a. data models
b. field aliases and tags
c. event types
d. field extractions
b. field aliases and tags
c. event types
d. field extractions
A data model can consist of the following three types of datasets. Select all that apply.
a. events
b. searches
c. Pivot reports
d. transactions
a. events
b. searches
d. transactions
To add a Root Event Dataset, what field is required to be manually added?
a. Dataset Name
b. Dataset
ID
c. Duration maxpause maxspan
c. Duration maxpause maxspan
2. Data models contain the following. Select all that apply.
a. inherited and extracted fields
b. constraints
c. event object hierarchy
b. constraints
c. event object hierarchy
The transaction command produces additional fields such as:
_____ which is the difference between the timestamps for the first and last event in a transaction
and
_____ which is the number of events in a transaction
a. time
b. duration
c. evencount
d. field