Page Comparison

from siem.logtrust.web.activity
//create a set
  select mkset(srcHost,params) as mkset_string
  select {srcHost, params}
//convert an into a set
  select [1,2,3] as array,
  set(array) as toset_int,
//check if the set is empty
  isempty(mkset_string) as isemty,
//what is the length of the array
  length(mkset_string) as length,
//does the set contain a specific item?
  toset_int -> 2 as has,
//add values to a set
  "new value" + mkset_string as add_va,
//join a set. Concatenates all the values of a set
  join(mkset_string, ",") as join_set
//Get distinct values in a set out of a grouped field
  //group select collectdistinct(responseLength) as responseLength_sizedistinct

from siem.logtrust.web.activity
//create a map
  select mkmap("b",7,"c",6,"a",5) as map1
  select {"src":srcPort, "serverPort": serverPort} as map2
//Checks if a map is empty
  select isempty(map1) as _false
//Returns the length of a map
  select length(map1) as _length
//check the occurrence of key "b"?
  select map1 -> "b" as _true
//append of new pairs
  select map1 + map2 as map3
//subtract pairs
  select map3 - map2 as _substract_pairs
  select map3 - "b" as _substract_key_b
//return the value of a give key
  select map3["b"] as _return_7
//return all the keys or values of a map
  select keys(map3) as _keys_set
  select values(map3) as _values_array

from siem.logtrust.web.activity
//create an array
  select mkarray(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as array1
  select ["hi", "i_am_in_a_set"] as array2
//convert a set to an array
  select {serverPort, srcPort} as set1
  select array(set1) as array3
//filter or check the occurrance of a value in an array
  select "hi" in array2
  select array2 -> "hi"
//length of an array
  select length(array2)
//add a value
  select array2 + "example" as array_with_example
//drop nulls
  select dropnulls(array2) as array_without_nulls
//reverse an array
  select reverse(array2) as array_reversed
  select reverse("hello") as _treat_strings_as_arrays
//sum numeric arrays
  select sum([1,5,8]) as _14

from siem.logtrust.web.activity
//create a tuple with multiple types
  select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple
  select (username ,srcPort, ip4(srcHost), true) as tuple2
//some ways to select the first item from a tuple
  select tuple[0] as first_item_from_tuple
  select tuple[-1] as last_item_from_tuple_
  select at(tuple,0) as first_item_from_tuple2
//SUB-QUERY: find the occurrence of a specific IP in another table during the same period of time
  select (from siem.logtrust.web.navigation group by srcHost select srcHost) -> srcHost as _ip_occurrence_in_another_table
//SUB-QUERY: return the "origin" field in another table matching by user email
  select (from siem.logtrust.web.navigation group by userEmail, origin)[username] as userInSubq
//SUB-QUERY: return the tuple (userEmail, count()) from another table matching by the tuple (email, level)
  select (from siem.logtrust.web.navigation group by userEmail, level select userEmail, count())[username, level] as match
//it is possible to filter each item by the underlying data type
  where tuple[0] -> "@"
  where tuple[-1] not in (ip4(95.63.39.51))

from siem.logtrust.web.activity
//create a JSON object
  select jsonparse("{\"str\": \"hi\", \"int\": 1}") as json
//Extract a Property Value
  //select json["int"] as extract_int //doesn't work in Data Search at the moment
  select jqeval(jqcompile(".int"), json) as extract_int_alt
//Convert a JSON to a string
  select stringify(json) as json_to_strinc
//Determine Data Type of a JSON Value
  select label(jqeval(jqcompile(".int"), json)) as int_type