Versions Compared

Old Version 25

changes.mady.by.user Tomás Lagomarsino

Saved on

compared with

New Version 26

changes.mady.by.user Tomás Lagomarsino

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Test them together in Data Search

Code Block
languagesql
from siem.logtrust.web.activity
//create an array
  select mkarray(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as array1
  select ["hi", "i_am_in_a_set"] as array2
//convert a set to an array
  select {serverPort, srcPort} as set1
  select array(set1) as array3
//filter or check the occurrance of a value in an array
  select "hi" in array2
  select array2 -> "hi"
//length of an array
  select length(array2)
//add a value
  select array2 + "example" as array_with_example
//drop nulls
  select dropnulls(array2) as array_without_nulls
//reverse an array
  select reverse(array2) as array_reversed
  select reverse("hello") as _treat_strings_as_arrays
//sum numeric arrays
  select sum([1,5,8]) as _14

...

Test them together in Data Search

Code Block
languagesql
from siem.logtrust.web.activity
//create a tuple with multiple types
  select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple
  select (username ,srcPort, ip4(srcHost), true) as tuple2
//some ways to select the first item from a tuple
  select tuple[0] as first_item_from_tuple
  select tuple[-1] as last_item_from_tuple_
  select at(tuple,0) as first_item_from_tuple2
//SUB-QUERY: find the occurrence of a specific IP in another table during the same period of time
  select (from siem.logtrust.web.navigation group by srcHost select srcHost) -> srcHost as _ip_occurrence_in_another_table
//SUB-QUERY: return the "origin" field in another table matching by user email
  select (from siem.logtrust.web.navigation group by userEmail, origin)[username] as userInSubq
//SUB-QUERY: return the tuple (userEmail, count()) from another table matching by the tuple (email, level)
  select (from siem.logtrust.web.navigation group by userEmail, level select userEmail, count())[username, level] as match
//it is possible to filter each item by the underlying data type
  where tuple[0] -> "@"
  where tuple[-1] not in (ip4(95.63.39.51))

...

Test them together in Data Search

Code Block
languagesql
from siem.logtrust.web.activity
//create a JSON object
  select jsonparse("{\"str\": \"hi\", \"int\": 1}") as json
//Extract a Property Value
  //select json["int"] as extract_int //doesn't work in Data Search at the moment
  select jqeval(jqcompile(".int"), json) as extract_int_alt
//Convert a JSON to a string
  select stringify(json) as json_to_strinc
//Determine Data Type of a JSON Value
  select label(jqeval(jqcompile(".int"), json)) as int_type