...
Search window | Activeboards |
|---|
Syntax: select `lu/lookupName/lookupColumn`lookupfield`(field) as newColumnNamenewfieldName
Query example: from demo.ecommerce.data
select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address`
| Syntax: select lu("domainName", "lookupName", "lookupColumnlookupfield", field) as newColumnNameas newfieldName
Query example: query(from demo.ecommerce.data
select lu("demo", "IP_list", "StreetAddress", clientIpAddress) as `IP street address`)
|
...
Order operations are slightly adjusted in queries used from the search window to Activeboards or vice versa. On a general basis, both constructions work fine in both areas but each area has one of them as the default. This can create confusion because of the automatic transformations that are carried out in several processes when bringing queries from one place to the other. Here you have the preferred syntax for each of them, both to filter and create columnfield:
Search window | Activeboards |
|---|
Syntax: Create columnfield: select column field operator "value"/column field as columnNamefieldName
Filter: where column field operator "value"/column field Query example: from demo.ecommerce.data
where method = "POST"
select timeTaken >= bytesTransferred
| Syntax: Create columnfield: select operator (columnfield, "value"/columnfield) as columnNamefieldName
Filter: where operator(columnfield, "value"/columnfield) Query example: query(from demo.ecommerce.data
where eq(method, "POST")
select ge(timeTaken, bytesTransferred))
|
Related articles: Order group
Maximum (max) operations - aggregation group
When you use this operation in the Data Search to create a new field, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent maximum operations until you have obtained the maximum of all the arguments you need.
Search window | Activeboards |
|---|
Syntax: Create field: select max(value1, value2, value3, value4...) as maxField
Query example:
from demo.ecommerce.data
select max(bytesTransferred, timeTaken, statusCode) as `maxField`
| Syntax: Create field: select max(value1, value2) as maxFieldA, max(maxFieldA, value3) as maxFieldB, max(maxFieldB, value4) as maxFieldC... Query example: query(from demo.ecommerce.data
select max(bytesTransferred, timeTaken) as maxFieldA, max(maxFieldA, statusCode) as maxFieldTotal)
|
Related articles: Maximum (max)
Minimum (min) operations - aggregation group
When you use this operation in the Data Search to create a new field, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent minimum operations until you have obtained the minimum of all the arguments you need.
Search window | Activeboards |
|---|
Syntax: Create field: select min(value1, value2, value3, value4...) as minField Query example: from demo.ecommerce.data
select min(bytesTransferred, timeTaken, statusCode) as `minField`
| Syntax: Create field: select min(value1, value2) as minFieldA, min(minFieldA, value3) as minFieldB, min(minFieldB, value4) as minFieldC... Query example: query(from demo.ecommerce.data
select min(bytesTransferred, timeTaken) as minFieldA, min(minFieldA, statusCode) as minFieldTotal)
|
Related articles: Minimum (max)
Addition, sum, plus / Concatenation (add, +) operations - arithmetic group
When you use this operation in the Data Search, you can add as many arguments as needed (where applicable), however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent adding operations until you have added all the arguments you need.
Search window | Activeboards |
|---|
Syntax: Create field: select add(value1, value2, value3, value4...) as totalField Query example: from demo.ecommerce.data
select add(bytesTransferred, timeTaken, statusCode) as `totalField`
| Syntax: Create field: select add(value1, value2) as totalFieldA, add(totalFieldA, value3) as totalFieldB, add(totalFieldB, value4) as totalFieldC... Query example: query(from demo.ecommerce.data
select add(bytesTransferred, timeTaken) as totalFieldA, add(totalFieldA, statusCode) as totalFieldFinal)
|
Related articles: Addition, sum, plus / Concatenation (add, +)
Multiplication, product (mul, *) operations - arithmetic group
When you use this operation in the Data Search, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent multiplication operations until you have multiplied all the arguments you need.
Search window | Activeboards |
|---|
Syntax: Create field: select mul(value1, value2, value3, value4...) as resultField Query example: from demo.ecommerce.data
select mul(bytesTransferred, timeTaken, statusCode) as `resultField`
| Syntax: Create field: select mul(value1, value2) as resultFieldA, mul(resultFieldA, value3) as resultFieldB, mul(resultFieldB, value4) as resultFieldC... Query example: query(from demo.ecommerce.data
select mul(bytesTransferred, timeTaken) as resultFieldA, mul(resultFieldA, statusCode) as resultFieldTotal)
|
Related articles: Multiplication, product (mul, *)
Collect distinct operation
...
Search window | Activeboards |
|---|
Not supported
| Syntax: select collectdistinct(columnfield) as columnNamefieldName
Query Example: query (from demo.ecommerce.data
group every 5m by method, statusCode
select collectdistinct(bytesTransferred) as distinctBytesTransferred)
|
...
When you have fields that contain sets of values as opposed to single values, this operation transforms its data type into an array to be later used to invoke one of the values inside the set. This operation can be used both to create column field and as a filter. When used to create a columnfield, the value invoked will be inserted in the new column field while as a filter it will be used as filtering criteria.
...
Search window | Activeboards |
|---|
Not supported
| Syntax: Create columnfield: select array(columnfield) [valuePosition] as columnNamefieldName
Filter: where column field operator array(columnfield) [valuePosition] Query example: query (from demo.ecommerce.data
group every 1h by method, statusCode
select collectdistinct(timeTaken) as DisTimeTaken
select array(DisTimeTaken) [1] as Array2Time
where statusCode >= array(DisTimeTaken) [1])
|
...
Search window | Activeboards |
|---|
Not supported
| Syntax: Create columnfield: select (from tag1.tag2.tag3.tag4) as columnNamefieldName
Filter: where column field in (from tag1.tag2.tag3.tag4) Query example: query(from siem.logtrust.web.activity
select ((
from siem.logtrust.web.navigation
group every - by userEmail
select count()) as inner)
select inner[username] as nav
group by username, nav)
query (from demo.ecommerce.data
where statusCode in
(from demo.ecommerce.data
where statusCode = "404"
where now()- 5m < eventdate < now()
group every - by statusCode)
select method, statusCode, eventdate)
|
...
