Page Comparison

...

Global

Whilst you don't have to add anything in search window queries, Activeboard queries must be enclosed between brackets, with the word "query" added before. Queries from the search window will be automatically transformed when used in Activeboards, however, trying to use an Activeboard query in the search window will return an error.

...

Search window

...

Activeboards

...

Syntax:

from tag1.tag2.tag3.tag4

Query example:

from demo.ecommerce.data

...

Syntax:

query(from tag1.tag2.tag3.tag4)

Query example:

query(from demo.ecommerce.data)

Lookup operations

Queries to use lookup operations present some particularities that make them incompatible when used from the search window to Activeboards or vice versa. The use of symbols is different and the domain name is required in one of them.

...

Search window

...

Activeboards

Syntax:

select `lu/lookupName/lookupfield`(field) as newfieldName

...

from demo.ecommerce.data
select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address`

...

Syntax:

select lu("lookupName", "lookupfield", field) as newfieldName

Query example:

query(from demo.ecommerce.data
select lu("IP_list", "StreetAddress", clientIpAddress) as `IP street address`)

Related article: Data enrichment

Order operations

Order operations are slightly adjusted in queries used from the search window to Activeboards or vice versa. On a general basis, both constructions work fine in both areas but each area has one of them as the default. This can create confusion because of the automatic transformations that are carried out in several processes when bringing queries from one place to the other. Here you have the preferred syntax for each of them, both to filter and create field:

...

Search window

...

Activeboards

Syntax:

Create field: select field operator "value"/field as fieldName
Filter: where field operator "value"/field 

...

from demo.ecommerce.data
where method = "POST"select timeTaken >= bytesTransferred

...

Syntax:

Create field: select operator (field, "value"/field) as fieldName
Filter: where operator(field, "value"/field)

Query example:

query(from demo.ecommerce.data
where eq(method, "POST")select ge(timeTaken, bytesTransferred))

Related articles: Order group

Aggregation operations

Maximum (max) operations

...

Related articles: Multiplication, product (mul, *)

Collect distinct operation

This operation will return the set of distinct values for the specified field when grouping events. This operation is not supported in the search window so you need to be careful when using queries from one area to the other. If you want to use it outside Activeboards you can do so with the query API.

...

Search window

...

Activeboards

...

Not supported

Syntax:

...

)

...

Query Example:

...

...

query (from demo.ecommerce.data
group every 5m by method, statusCodeselect
collectdistinct(bytesTransferred) as distinctBytesTransferred)

Related articles: Query API

Array operation

When you have fields that contain sets of values as opposed to single values, this operation transforms its data type into an array to be later used to invoke one of the values inside the set. This operation can be used both to create field and as a filter. When used to create a field, the value invoked will be inserted in the new field while as a filter it will be used as filtering criteria.

...

query (from demo.ecommerce.data
group every 1h by method, statusCode
select collectdistinct(timeTaken) as DisTimeTaken
select array(DisTimeTaken) [1] as Array2Time
where statusCode >= array(DisTimeTaken) [1])

Related articles: Query API

Subqueries

...

Collect distinct operation

This operation will return the set of distinct values for the specified field when grouping events. This operation is not supported in the search window yet so you need to be careful when using queries from one area to the other because you will not be able to reproduce subqueries. If you want to use subqueries out of Activeboards, your only option so far is to use it outside Activeboards you can do so with the query API.

query (from demo.ecommerce.data
group every 5m by method, statusCodeselect
collectdistinct(bytesTransferred) as distinctBytesTransferred)

Related articles: Query API

Global syntax

Whilst you don't have to add anything in search window queries, Activeboard queries must be enclosed between brackets, with the word "query" added before. Queries from the search window will be automatically transformed when used in Activeboards, however, trying to use an Activeboard query in the search window will return an error.

from demo.ecommerce.data

query(from 

demo.ecommerce.data)

Lookup operations

Queries to use lookup operations present some particularities that make them incompatible when used from the search window to Activeboards or vice versa. The use of symbols is different and the domain name is required in one of them.

from demo.ecommerce.data
select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address`

query(from demo.ecommerce.data

select 

...

lu("IP_list", "StreetAddress", clientIpAddress) as `IP street address`)

Related article: Data enrichment

Mlevalmodel operation

Mlevalmodel operation is not supported in search window. Use this operation in Activeboards when you want to work with models you uploaded in Model Management.

from "datatable"
select "fields"
mlevalmodel("domain", "ModelName", "ModelFields") as "NameNewField"

from demo.ecommerce.data
select 
  split(referralUri, "/",2) as domain,
  float(lenght(domain)) as lenght
  shannonentropy(domain) as entropy
  float(countbyfilter(domain, "aeiuoAEIOU")) as p_vowels,
  mlevamodel("self", "example_test", lenght, entropy, p_vowels) as prob
  ifthenelse(prob>0.8, "dga", "legit") as type 

Refer article: Model Management

Order operations

Order operations are slightly adjusted in queries used from the search window to Activeboards or vice versa. On a general basis, both constructions work fine in both areas but each area has one of them as the default. This can create confusion because of the automatic transformations that are carried out in several processes when bringing queries from one place to the other. Here you have the preferred syntax for each of them, both to filter and create field:

from demo.ecommerce.data
where method = "POST"select timeTaken >= bytesTransferred

query(from demo.ecommerce.data
where eq(method, "POST")select ge(timeTaken, bytesTransferred))

Related articles: Order group

Subqueries

Subqueries are not supported in the search window yet so you need to be careful when using queries from one area to the other because you will not be able to reproduce subqueries. If you want to use subqueries out of Activeboards, your only option so far is to use the query API.

query(from siem.logtrust.web.activity
select ((
from siem.logtrust.web.navigation
group every - by userEmail
select count()) as inner)
select inner[username] as nav
group by username, nav)

query (from demo.ecommerce.data
where statusCode in
(from demo.ecommerce.data
where statusCode = "404"
where now()- 5m < eventdate < now()
group every - by statusCode)
select method, statusCode, eventdate)

Related articles: Subqueries, Query API