Evaluates an arbitrary expression as a boolean value and filters
events when the expression returns true. Not only can
Falcon LogScale make comparisons between one field and one value,
but it can also compare more fields and their respective values,
using the test() function.
Note
In test() unquoted strings are
interpreted as field names.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
expression[a] | expression | required | The expression to test. | |
[a] The parameter name | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
expressioncan be omitted; the following forms of this function are equivalent:logscale Syntaxtest("value")and:
logscale Syntaxtest(expression="value")These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale Syntax!test()Or:
logscale Syntaxnot test()For more information, see Negating the Result of Filter Functions.
test() Examples
The following tests if the value of the field foo is less than the value of the field bar:
test(foo < bar)This example compares a field value within the LogScale repository:
test(cputime < 7500)Click next to an example below to get the full details.
Check if Field Contains Specific Value
Check if field contains specific value using test() function
Query
test(myField == "myValue")Introduction
In this example, the test() function is used to
check if a field contains a specific value.
Step-by-Step
Starting with the source repository events.
- logscale
test(myField == "myValue")Returns all events where field myField holds the specific value myOtherField. Notice the use of double-quotes. If the string had been
test(myField == myOtherField), then it would have returned results where the fields contained the same values and not a specific value. Event Result set.
Summary and Results
The query is used to check if a field contains a specific value. The
function syntax with test() does not support fields
with space. For example, test("f o o" ==
"bar") compares the two values, not a field named
f o o.
The syntax form, myField = myValue is
the preferred method for performance reasons.
Check if Fields Contain Same Value
Search for more fields with same length using the test() function with length()
Query
test(length(userid) == length(method))Introduction
In this example, the test() function is used with
length() to search for events where the
userid field and
method field have the same
length.
Step-by-Step
Starting with the source repository events.
- logscale
test(length(userid) == length(method))Returns all events where field userid has the same length as the method field. This could for example be events with
ChadandPOST, andPeterandPATCH. Event Result set.
Summary and Results
The query is used to compare more fields and their respective values.
Compare More Fields and Filter for Specific Events
Compare more fields and filter for events that are not twice as large using a negation statement
Query
test(field1 != 2 * field2)Introduction
In this example, the test() function is used to
filter for events where the value of
field1 is not exactly twice as
large as the value in field2.
Step-by-Step
Starting with the source repository events.
- logscale
test(field1 != 2 * field2)Filters for events where the value of the field field1 is not exactly twice as large as the value in field field2.
Event Result set.
Summary and Results
The query is used to compare more fields and filter for specific events that are not of a certain size.
Compare More Fields and Their Respective Values
Compare more fields and their respective values
Query
test(field1 < field2)Introduction
In this example, the test() function is used to
check if the value of field1 is
less than the value in field2.
Step-by-Step
Starting with the source repository events.
- logscale
test(field1 < field2)Evaluates if the value of the field field1 is less than the value in field field2.
Event Result set.
Summary and Results
The query is used to compare more fields and their respective values.
Evaluate Arbitrary Expression as Boolean Value
Evaluate an arbitrary expression as a boolean value and filter events when expression returns true
Query
test(foo < bar)Introduction
In this example, the test() function evaluates the
arbitrary expression < as a
boolean value (true/false) and filters events when the expression
returns true.
Step-by-Step
Starting with the source repository events.
- logscale
test(foo < bar)Evaluates if the value of the field foo is less than the value of the field bar.
Event Result set.
Summary and Results
The query is used to evaluate arbitrary expressions as boolean values in
a query. This is used to filter events where the expression returns
true. The difference between using the test()
function instead of the match() function is that
test() returns a boolean value and
match() returns a string.
Evaluate Arbitrary Field Values for CPU Time Within Repository
Evaluate and compare field values for CPU time within a repository
Query
test(cputime < 7500)Introduction
In this example, the test() function evaluates the
arbitrary expression < as a
boolean value (true/false) and filters events when the expression
returns true.
Step-by-Step
Starting with the source repository events.
- logscale
test(cputime < 7500)Evaluates if the value of the field cputime is less than the value
7500in a repository. Event Result set.
Summary and Results
The query is used to evaluate arbitrary expressions as boolean values in
a query. This is used to filter events where the expression returns
true. The difference between using the test()
function instead of the match() function is that
test() returns a boolean value and
match() returns a string. Searching for CPU times
is useful when troubleshooting performance issues in a system.
Evaluate Field Values Within Repository
Compare field values within the Falcon LogScale repository
Query
test(cputime < 7500)Introduction
In this example, the test() function evaluates the
arbitrary expression < as a
boolean value (true/false) and filters events when the expression
returns true.
Step-by-Step
Starting with the source repository events.
- logscale
test(cputime < 7500)Evaluates if the value of the field cputime is less than
7500. Event Result set.
Summary and Results
The query is used to compare a field value within the Falcon LogScale repository.
Search Relative Time to Query Execution
Writing a query that is executed against a time range relative to when the query is executed
Query
test(@timestamp < (start() + (30*24*60*60*1000)))Introduction
The start() can be used in a query that
executes against a time range relative to when the query is
executed.
Step-by-Step
Starting with the source repository events.
- logscale
test(@timestamp < (start() + (30*24*60*60*1000)))Tests whether the @timestamp for an event is less than the start time of the query. The query start time is returned by the
start()function. To work out the relative time, we add the explicit number of milliseconds by calculating the number of milliseconds in the specified number of days, in this case, 30. Event Result set.
Summary and Results
The query is a practical way of querying with a relative time from the query execution. The 30 days (and calculation) used in the example could be updated with any time calculation to achieve the required result.