Versions Compared

Version Old Version 8 New Version 9
Changes made by

Tomás Lagomarsino

Tomás Lagomarsino

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create a set from values:

    Code Block
    select mkset(srcHost, params) as mkset_string

  • Convert an array to a set:

    Code Block
    select set([1, 2, 2, 3]) as toset_int_1_2_3

  • Check if a set contains a specific value:

    Code Block
    select toset_int -> 2 as has
    Code Block
    select 2 in toset_int_1_2_3 as _in

  • Add values to a set:

    Code Block
    select "new value" + mkset_string as add_va

  • Get distinct values in a set out of a grouped field

    Code Block
    select join(mkset_string, ",") as join_set

  • Get distinct values in a set out of a grouped field

    Code Block
    group select collectdistinct(responseLength) as responseLength_sizedistinct

TEST THEM TOGETHER

Code Block
from siem.logtrust.web.activity

...


//create a set

...


select mkset(srcHost,params) as mkset_string

...


select {srcHost, params}

...


//convert an into a set

...


select [1,2,3] as array,

...


set(array) as toset_int,

...


//check if the set is empty

...


isempty(mkset_string) as isemty,

...


//what is the length of the array

...


length(mkset_string) as length,

...


//does the set contain a specific item?

...


toset_int -> 2 as has,

...


//add values to a set

...


"new value" + mkset_string as add_va,

...


//join a set. Concatenates all the values of a set

...


join(mkset_string, ",") as join_set

...


//Get distinct values in a set out of a grouped field

...


//group select collectdistinct(responseLength) as responseLength_sizedistinct

...

Map

A map in Devo is a collection of key-value pairs where each key is unique, but values can be duplicated. Maps allow for efficient lookups by keys and are useful when working with datasets that need to associate properties or attributes to specific items.

...

  • Create a map:

    Code Block
    select mkmap("b",7,"c",6,"a",5) as map1
    Code Block
    select mkmap("src", srcPort, "serverPort", serverPort) as map2

  • Check if a map is empty:

    Code Block
    select isempty(map1) as is_empty

  • Get the length of a map (number of key-value pairs):

    Code Block
    select length(map1) as map_length

  • Access a value by key:

    Code Block
    select map1 -> "b" as src_value

  • Append new key-value pairs:

    Code Block
    select map1 + map2 as map3

  • Subtract pairs

    Code Block
    select map3 - map2 as _substract_pairs
    Code Block
    select map3 - "b" as _substract_key_b

  • Return the value of a give key

    Code Block
    select map3["b"] as _return_7

  • Return all keys or values from a map:

    Code Block
    select keys(map3) as _keys_set
    Code Block
    select values(map3) as _values_array

     

TEST THEM TOGETHER

Code Block
from siem.logtrust.web.activity

...


//create a map

...


select mkmap("b",7,"c",6,"a",5) as map1

...


select {"src":srcPort, "serverPort": serverPort} as map2

...


//Checks if a map is empty

...


select isempty(map1) as _false

...


//Returns the length of a map

...


select length(map1) as _length

...


//check the occurrence of key "b"?

...


select map1 -> "b" as _true

...


//append of new pairs

...


select map1 + map2 as map3

...


//subtract pairs

...


select map3 - map2 as _substract_pairs

...


select map3 - "b" as _substract_key_b

...


//return the value of a give key

...


select map3["b"] as _return_7

...


//return all the keys or values of a map

...


select keys(map3) as _keys_set

...


select values(map3) as _values_array

...

Array

An array is an ordered collection of elements where duplicates are allowed. Arrays are especially useful for performing a range of operations such as sorting, summing, and filtering. Unlike sets, arrays preserve the order of elements, making them essential for ordered data manipulation.

...

  • Create an array:

    Code Block
    select mkarray(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as array1
select ["hi", "i_am_in_a_set"] as array2

  • Convert a set to an array:

    Code Block
    select {serverPort, srcPort} as set1
    Code Block
    select array(set1) as array3

  • Check if an array contains a value:

    Code Block
    select "hi" in array2
    Code Block
    select array2 -> "hi"

  • Add a value to an array:

    Code Block
    select array2 + "example" as array_with_example

  • Reverse an array:

    Code Block
    select reverse(array2) as array_reversed
    Code Block
    select reverse("hello") as _treat_strings_as_arrays

  • Drop null values from an array:

    Code Block
    select dropnulls(array2) as array_without_nulls

  • Sum numeric arrays:

    Code Block
    select sum([1,5,8]) as array_sum

  • length of an array

    Code Block
    select length(array2)

     

TEST THEM TOGETHER

Code Block
from siem.logtrust.web.activity

...


//create an array

...


select mkarray(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as array1

...


select ["hi", "i_am_in_a_set"] as array2

...


//convert a set to an array

...


select {serverPort, srcPort} as set1

...


select array(set1) as array3

...


//filter or check the occurrance of a value in an array

...


select "hi" in array2

...


select array2 -> "hi"

...


//length of an array

...


select length(array2)

...


//add a value

...


select array2 + "example" as array_with_example

...


//drop nulls

...


select dropnulls(array2) as array_without_nulls

...


//reverse an array

...


select reverse(array2) as array_reversed

...


select reverse("hello") as _treat_strings_as_arrays

...


//sum numeric arrays

...


select sum([1,5,8]) as _14

...

Tuple

A tuple in Devo is an ordered collection of elements that can be of mixed types (e.g., strings, numbers, booleans). Unlike arrays, tuples maintain the individual types of each element and are immutable, meaning that once created, the elements cannot be changed.

...

  • Create a tuple:

    Code Block
    select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple
    Code Block
    select (username ,srcPort, ip4(srcHost), true) as tuple2

  • Access tuple elements by index:

    Code Block
    select tuple[0] as first_item_from_tuple
    Code Block
    select tuple[-1] as last_item_from_tuple_
    Code Block
    select at(tuple,0) as first_item_from_tuple2

  • Filter tuples by type:

    Code Block
    where tuple[0] -> "@"
    Code Block
    where tuple[-1] not in (ip4(95.63.39.51))

  • SUB-QUERY: find the occurrence of a specific IP in another table during the same period of time

    Code Block
    select (from siem.logtrust.web.navigation group by srcHost select srcHost) -> srcHost as _ip_occurrence_in_another_table

  • SUB-QUERY: return the "origin" field in another table matching by user email

    Code Block
    select (from siem.logtrust.web.navigation group by userEmail, origin)[username] as userInSubq

  • SUB-QUERY: return the tuple (userEmail, count()) from another table matching by the tuple (email, level)

    Code Block
    select (from siem.logtrust.web.navigation group by userEmail, level select userEmail, count())[username, level] as match

TEST THEM TOGETHER

Code Block
from siem.logtrust.web.activity

...


//create a tuple with multiple types

...


select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple

...


select (username ,srcPort, ip4(srcHost), true) as tuple2

...


//some ways to select the first item from a tuple

...


select tuple[0] as first_item_from_tuple

...


select tuple[-1] as last_item_from_tuple_

...


select at(tuple,0) as first_item_from_tuple2

...


//SUB-QUERY: find the occurrence of a specific IP in another table during the same period of time

...


select (from siem.logtrust.web.navigation group by srcHost select srcHost) -> srcHost as _ip_occurrence_in_another_table

...


//SUB-QUERY: return the "origin" field in another table matching by user email

...


select (from siem.logtrust.web.navigation group by userEmail, origin)[username] as userInSubq

...


//SUB-QUERY: return the tuple (userEmail, count()) from another table matching by the tuple (email, level)

...


select (from siem.logtrust.web.navigation group by userEmail, level select userEmail, count())[username, level] as match

...


//it is possible to filter each item by the underlying data type

...


where tuple[0] -> "@"

...


where tuple[-1] not in (ip4(95.63.39.51))

...

JSON

A JSON object in Devo is a collection of key-value pairs, where the keys are unique, and the values can be of mixed types, including nested objects and arrays. JSON is useful for representing structured data in an unordered format, enabling flexible data storage and manipulation.

...

  • Parse String to JSON

    • Code Block
      select jsonparse("{\"str\": \"hi\", \"int\": 1}") as json

  • Extract a Property Value

    • Code Block
      select json["int"] as extract_int //doesn't work in Data Search at the moment
    • Code Block
      select jqeval(jqcompile(".int"), json) as extract_int_alt

  • Convert a JSON to a string

    • Code Block
      select stringify(json) as json_to_strinc

  • Determine Data Type of a JSON Value

    • Code Block
      select label(jqeval(jqcompile(".int"), json)) as int_type

TEST THEM TOGETHER

Code Block
from siem.logtrust.web.activity

...


//create a JSON object

...


select jsonparse("{\"str\": \"hi\", \"int\": 1}") as json

...


//Extract a Property Value

...


//select json["int"] as extract_int //doesn't work in Data Search at the moment

...


select jqeval(jqcompile(".int"), json) as extract_int_alt

...


//Convert a JSON to a string

...


select stringify(json) as json_to_strinc

...


//Determine Data Type of a JSON Value

...


select label(jqeval(jqcompile(".int"), json)) as int_type