...
| Expand |
|---|
| title | Checking that the subquery results are contained in one of the main query fields |
|---|
|
All the subquery examples above are used to filter the main query results in order to get only the events that match the subquery data. However, you can also check that your query results contain the resulting values of your subquery. In the example below, we uploaded the CSV below to our Devo domain, which contains several URI parts, in order to get those main query events that contain them in the uri field. | View file |
|---|
| name | uri_parts.csv |
|---|
| page | Subqueries |
|---|
| space | latest |
|---|
|
To do it, you must use the following syntax: | Code Block |
|---|
from demo.ecommerce.data
where set ((
from my.upload.uri.parts
select message)) in uri
select * |
 Image Removed |
| Expand |
|---|
| title | Subquery using a select clause to expose a field |
|---|
|
| Code Block |
|---|
from siem.logtrust.web.activity
select ((
from siem.logtrust.web.navigation
group every - by userEmail
select count()) as inner)
select inner[username] as nav
group by username, nav |
 Image Removed Image Added |
Expose data from the subquery to the main query
You can correlate specific field values of your subquery with the ones in your main query and show them as a list in a new field.
...
