...
| Code Block |
|---|
from siem.logtrust.web.activity //create a tuple with multiple types select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple select (username ,srcPort, ip4(srcHost), true) as tuple2 //some ways to select the first item from a tuple select tuple[0] as first_item_from_tuple select tuple[-1] as last_item_from_tuple_ select at(tuple,0) as first_item_from_tuple2 //SUB-QUERY: find the occurrence of a specific IP in another table during the same period of time select (from siem.logtrust.web.navigation group by srcHost select srcHost) -> srcHost as _ip_occurrence_in_another_table //SUB-QUERY: return the "origin" field in another table matching by user email select (from siem.logtrust.web.navigation group by userEmail, origin)[username] as userInSubq //SUB-QUERY: return the tuple (userEmail, count()) from another table matching by the tuple (email, level) select (from siem.logtrust.web.navigation group by userEmail, level select userEmail, count())[username, level] as match //it is possible to filter each item by the underlying data type where tuple[0] -> "@" where tuple[-1] not in (ip4(95.63.39.51)) |
...
JSON
A JSON object in Devo is a collection of key-value pairs, where the keys are unique, and the values can be of mixed types, including nested objects and arrays. JSON is fully supported in Devo. It is useful for representing structured data in an unordered format, enabling flexible data storage and manipulation.
...