...
Search window | Activeboards |
|---|
Syntax: from tag1.tag2.tag3.tag4
Query example: | Code Block |
|---|
from demo.ecommerce.data |
| Syntax: query(from tag1.tag2.tag3.tag4)
Query example: | Code Block |
|---|
query(from demo.ecommerce.data) |
|
Lookup operations
Queries to use lookup operations present some particularities that make them incompatible when used from the search window to Activeboards or vice versa. The use of symbols is different and the domain name is required in one of them.
Search window | Activeboards |
|---|
Syntax: select `lu/lookupName/lookupfield`(field) as newfieldName
Query example:
| Code Block |
|---|
from demo.ecommerce.data |
select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address` |
| Syntax: select lu("domainName", "lookupName", "lookupfield", field) as newfieldName
Query example: | Code Block |
|---|
query(from demo.ecommerce.data |
select lu("demo", "IP_list", "StreetAddress", clientIpAddress) as `IP street address`) |
|
Related article: Data enrichment
...
Search window | Activeboards |
|---|
Syntax: Create field: select field operator "value"/field as fieldName
Filter: where field operator "value"/field
Query example:
| Code Block |
|---|
from demo.ecommerce.data |
select timeTaken >= bytesTransferred |
| Syntax: Create field: select operator (field, "value"/field) as fieldName
Filter: where operator(field, "value"/field) Query example: | Code Block |
|---|
query(from demo.ecommerce.data |
select ge(timeTaken, bytesTransferred)) |
|
Related articles: Order group
...
Search window | Activeboards |
|---|
Syntax: Create field: select max(value1, value2, value3, value4...) as maxField
Query example:
| Code Block |
|---|
from demo.ecommerce.data |
select max(bytesTransferred, timeTaken, statusCode) as `maxField` |
| Syntax: Create field: select max(value1, value2) as maxFieldA, max(maxFieldA, value3) as maxFieldB, max(maxFieldB, value4) as maxFieldC... Query example: | Code Block |
|---|
query(from demo.ecommerce.data |
select max(bytesTransferred, timeTaken) as maxFieldA, max(maxFieldA, statusCode) as maxFieldTotal) |
|
Related articles: Maximum (max)
...
Search window | Activeboards |
|---|
Syntax: Create field: select min(value1, value2, value3, value4...) as minField Query example: | Code Block |
|---|
from demo.ecommerce.data |
select min(bytesTransferred, timeTaken, statusCode) as `minField` |
| Syntax: Create field: select min(value1, value2) as minFieldA, min(minFieldA, value3) as minFieldB, min(minFieldB, value4) as minFieldC... Query example: | Code Block |
|---|
query(from demo.ecommerce.data |
select min(bytesTransferred, timeTaken) as minFieldA, min(minFieldA, statusCode) as minFieldTotal) |
|
Related articles: Minimum (min)
...
Search window | Activeboards |
|---|
Syntax: Create field: select add(value1, value2, value3, value4...) as totalField Query example: | Code Block |
|---|
from demo.ecommerce.data |
select add(bytesTransferred, timeTaken, statusCode) as `totalField` |
| Syntax: Create field: select add(value1, value2) as totalFieldA, add(totalFieldA, value3) as totalFieldB, add(totalFieldB, value4) as totalFieldC... Query example: | Code Block |
|---|
query(from demo.ecommerce.data |
select add(bytesTransferred, timeTaken) as totalFieldA, add(totalFieldA, statusCode) as totalFieldFinal) |
|
Related articles: Addition, sum, plus / Concatenation (add, +)
...
Search window | Activeboards |
|---|
Syntax: Create field: select mul(value1, value2, value3, value4...) as resultField Query example: | Code Block |
|---|
from demo.ecommerce.data |
select mul(bytesTransferred, timeTaken, statusCode) as `resultField` |
| Syntax: Create field: select mul(value1, value2) as resultFieldA, mul(resultFieldA, value3) as resultFieldB, mul(resultFieldB, value4) as resultFieldC... Query example: | Code Block |
|---|
query(from demo.ecommerce.data |
select mul(bytesTransferred, timeTaken) as resultFieldA, mul(resultFieldA, statusCode) as resultFieldTotal) |
|
Related articles: Multiplication, product (mul, *)
...
Search window | Activeboards |
|---|
Not supported
| Syntax: select collectdistinct(field) as fieldName
Query Example: | Code Block |
|---|
query (from demo.ecommerce.data |
group every 5m by method, |
statusCode
select statusCodeselect
collectdistinct(bytesTransferred) as distinctBytesTransferred) |
|
Related articles: Query API
...
Search window | Activeboards |
|---|
Not supported
| Syntax: Create field: select array(field) [valuePosition] as fieldName
Filter: where field operator array(field) [valuePosition] Query example: | Code Block |
|---|
query (from demo.ecommerce.data |
group every 1h by method, statusCode |
select collectdistinct(timeTaken) as DisTimeTaken |
select array(DisTimeTaken) [1] as Array2Time |
where statusCode >= array(DisTimeTaken) [1]) |
|
Related articles: Query API
...
Search window | Activeboards |
|---|
Not supported
| Syntax: Create field: select (from tag1.tag2.tag3.tag4) as fieldName
Filter: where field in (from tag1.tag2.tag3.tag4) Query example: | Code Block |
|---|
query(from siem.logtrust.web.activity |
from siem.logtrust.web.navigation |
group every - by userEmail |
select count()) as inner) |
select inner[username] as nav |
| Code Block |
|---|
query (from demo.ecommerce.data |
(from demo.ecommerce.data |
where now()- 5m < eventdate < now() |
group every - by statusCode) |
select method, statusCode, eventdate) |
|
Related articles: Subqueries, Query API
...
