...
As a workaround, you can perform subsequent maximum operations until you have obtained the maximum of all the arguments you need.
Search window + Alerts API | Other Devo APIs |
|---|
Syntax: Create field: select max(value1, value2, value3, value4...) as maxField Query example: | Code Block |
|---|
from demo.ecommerce.data
select max(bytesTransferred, timeTaken, statusCode) as `maxField` |
| Syntax: Create field: select max(value1, value2) as maxFieldA, max(maxFieldA, value3) as maxFieldB, max(maxFieldB, value4) as maxFieldC... Query example: | Code Block |
|---|
from demo.ecommerce.data
select max(bytesTransferred, timeTaken) as maxFieldA, max(maxFieldA, statusCode) as maxFieldTotal |
|
Related articles: Maximum (max)
...
As a workaround, you can perform subsequent minimum operations until you have obtained the minimum of all the arguments you need.
Search window + Alerts API | Other Devo APIs |
|---|
Syntax: Create field: select min(value1, value2, value3, value4...) as minField
Query example: | Code Block |
|---|
from demo.ecommerce.data
select min(bytesTransferred, timeTaken, statusCode) as `minField` |
| Syntax: Create field: select min(value1, value2) as minFieldA, min(minFieldA, value3) as minFieldB, min(minFieldB, value4) as minFieldC... Query example: | Code Block |
|---|
from demo.ecommerce.data
select min(bytesTransferred, timeTaken) as minFieldA, min(minFieldA, statusCode) as minFieldTotal) |
|
Related articles: Minimum (min)
...
As a workaround, you can perform subsequent adding operations until you have added all the arguments you need.
Search window + Alerts API | Other Devo APIs |
|---|
Syntax: Create field: select add(value1, value2, value3, value4...) as totalField
Query example: | Code Block |
|---|
from demo.ecommerce.data
select add(bytesTransferred, timeTaken, statusCode) as `totalField` |
| Syntax: Create field: select add(value1, value2) as totalFieldA, add(totalFieldA, value3) as totalFieldB, add(totalFieldB, value4) as totalFieldC... Query example: | Code Block |
|---|
from demo.ecommerce.data
select add(bytesTransferred, timeTaken) as totalFieldA, add(totalFieldA, statusCode) as totalFieldFinal |
|
Related articles: Addition, sum, plus / Concatenation (add, +)
...
As a workaround, you can perform subsequent multiplication operations until you have multiplied all the arguments you need.
Search window + Alerts API | Other Devo APIs |
|---|
Syntax: Create field: select mul(value1, value2, value3, value4...) as resultField
Query example: | Code Block |
|---|
from demo.ecommerce.data
select mul(bytesTransferred, timeTaken, statusCode) as `resultField` |
| Syntax: Create field: select mul(value1, value2) as resultFieldA, mul(resultFieldA, value3) as resultFieldB, mul(resultFieldB, value4) as resultFieldC... Query example: | Code Block |
|---|
from demo.ecommerce.data
select mul(bytesTransferred, timeTaken) as resultFieldA, mul(resultFieldA, statusCode) as resultFieldTotal |
|
Related articles: Multiplication, product (mul, *)
...
This operation is not supported in the search window so you will not be able to bring queries from one area to the other. To use this operation, you need to use the Query API.
Search window + Alerts API | Other Devo APIs |
|---|
Not supported
| Syntax: Create column: select array(column) [valuePosition] as columnName Filter: where column operator array(column) [valuePosition] Query example: | Code Block |
|---|
from demo.ecommerce.data
group every 1h by method, statusCode
select collectdistinct(timeTaken) as DisTimeTaken
select array(DisTimeTaken) [1] as Array2Time
where statusCode >= array(DisTimeTaken) [1] |
|
Related articles: Query API
...
This operation will return the set of distinct values for the specified field when grouping events. This operation is not supported in the search window so you need to be careful when using queries from one area to the other. If you want to use it, you can do so with the Query API.
Search window + Alerts API | Other Devo APIs |
|---|
Not supported
| Syntax: select collectdistinct(column) as columnName
Query example: | Code Block |
|---|
from demo.ecommerce.data
group every 5m by method, statusCode
select collectdistinct(bytesTransferred) as distinctBytesTransferred |
|
Related articles: Query API
...
Queries that use lookup operations present some particularities that make them incompatible when used from the search window to APIs or vice versa. The use of symbols is different and the domain name is required in one of them.
Search window + Alerts API | Other Devo APIs |
|---|
Syntax: select `lu/lookupName/lookupColumn`(field) as newColumnName
Query example:
| Code Block |
|---|
from demo.ecommerce.data
select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address` |
| Syntax: select lu("lookupName", "lookupColumn", field) as newColumnName
Query example: | Code Block |
|---|
from demo.ecommerce.data
select lu("IP_list", "StreetAddress", clientIpAddress) as `IP street address` |
|
Related article: Data enrichment
...
Queries that use lookup operations with JSON present some particularities that make them incompatible when used from the search window to APIs or vice versa. The use of symbols is different and a specific json command is required in one of them.
Search window + Alerts API | Other Devo APIs |
|---|
Syntax: select `lu/lookupName`(field) as newColumnName
Query example: | Code Block |
|---|
from demo.ecommerce.data
select `lu/IP_list`(clientIpAddress) as `jsonField` |
| Syntax: select hlurjson("lookup_name", field, eventdate) as json
Query example: | Code Block |
|---|
from demo.ecommerce.data
select hlurjson("IP_list", clientIpAddress, eventdate) as `json` |
|
Related article: Data enrichment
...
Mlevalmodel operation is not supported in search window. Use this operation in APIs when you want to work with models you uploaded in Model Management.
Search window | Devo APIs |
|---|
Not supported
| Query examples: | Code Block |
|---|
from "datatable"
select "fields"
mlevalmodel("domain", "ModelName", "ModelFields") as "NameNewField" |
Example: | Code Block |
|---|
from demo.ecommerce.data
select
split(referralUri, "/",2) as domain,
float(lenght(domain)) as lenght
shannonentropy(domain) as entropy
float(countbyfilter(domain, "aeiuoAEIOU")) as p_vowels,
mlevamodel("self", "example_test", lenght, entropy, p_vowels) as prob
ifthenelse(prob>0.8, "dga", "legit") as type |
|
Refer article: Model Management
...
Subqueries are not supported in the search window yet so you need to be careful when using queries from one area to the other because you will not be able to reproduce subqueries. If you want to use subqueries, your only option so far is to use the Devo APIs.
Search window | Devo APIs |
|---|
Not supported
| Syntax: Create column: select (from tag1.tag2.tag3.tag4) as columnName Filter: where column in (from tag1.tag2.tag3.tag4) Query examples: | Code Block |
|---|
from siem.logtrust.web.activity
select ((from siem.logtrust.web.navigationgroup every - by userEmailselect count()) as inner)
select inner[username] as navgroup by username, nav |
| Code Block |
|---|
from demo.ecommerce.data
where statusCode in(from demo.ecommerce.data
where statusCode = "404"where now()- 5m < eventdate < now()
group every - by statusCode)
select method, statusCode, eventdate |
|
Related articles: Subqueries, Query API
