Versions Compared

Version Old Version 2 New Version Current
Changes made by

Borja Moro Moreno

Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Due to architectural differences, the LINQ syntax presents some particularities in Activeboards and the search window. Therefore, keep in mind that copying a LINQ query from the search window and pasting it into an Activeboard widget, or vice versa, might not work. Before examining the differences explained below, you can visit Build a query using LINQ to know the standard procedures when working with LINQ.

Info

Tip

You don't need to transform your search window queries if you use the My last search queries and My favorite search queries boxes in the Data menu of the Activeboards area. They will be automatically transformed into the required format and will be added as aggregation tasks when required.

Global

...

Addition, sum, plus / Concatenation (add, +) operations

When you use this operation in the Data Search, you can add as many arguments as needed (where applicable), however, the number of arguments is limited to two when used in Activeboards.

As a workaround, you can perform subsequent adding operations until you have added all the arguments you need.

Search window

Activeboards

Syntax:

from tag1.tag2.tag3.tag4

Query example:

from demo.ecommerce.data

Syntax:

query(from tag1.tag2.tag3.tag4)

Create field: select add(value1, value2, value3, value4...) as totalField

Query example:

Code Block
query(
from demo.ecommerce.data
)

Lookup operations

Queries to use lookup operations present some particularities that make them incompatible when used from the search window to Activeboards or vice versa. The use of symbols is different and the domain name is required in one of them.

...

Search window

...

Activeboards

...

Syntax:

select `lu/lookupName/lookupColumn`(field) as newColumnName

Query example:

from demo.ecommerce.data
select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address`

...

Syntax:

select lu("domainName", "lookupName", "lookupColumn", field) as newColumnName

Query example:

query(from demo.ecommerce.data
select lu("demo", "IP_list", "StreetAddress", clientIpAddress) as `IP street address`)

Related article: Data enrichment

Order operations

...


select add(bytesTransferred, timeTaken, statusCode) as `totalField`

Syntax:

Create field: select add(value1, value2) as totalFieldA, add(totalFieldA, value3) as totalFieldB, add(totalFieldB, value4) as totalFieldC...

Query example:

Code Block
query(from demo.ecommerce.data
select add(bytesTransferred, timeTaken) as totalFieldA, add(totalFieldA, statusCode) as totalFieldFinal)

Related articles: Addition, sum, plus / Concatenation (add, +)

Comparison operations

Operations inside the detection group that imply comparing elements (such as equal, greater than, less than, etc.) are slightly adjusted in queries used from the search window to Activeboards or vice versa. On a general basis, both constructions work fine in both areas but each area has one of them as the default. This can create confusion because of the automatic transformations that are carried out in several processes when bringing queries from one place to the other. Here you have the preferred syntax for each of them, both to filter and create columnfield:

Search window

Activeboards

Syntax:

Create

column

field: select

column

field operator "value"/

column

field as

columnName

fieldName
Filter: where

column

field operator "value"/

column 

field 

Query example:

Code Block
from demo.ecommerce.data


where method = "POST"

select timeTaken >= bytesTransferred

Syntax:

Create

column

field: select operator (

column

field, "value"/

column

field) as

columnName

fieldName
Filter: where operator(

column

field, "value"/

column

field)

Query example:

Code Block
query(from demo.ecommerce.data


where eq(method, "POST")

select ge(timeTaken, bytesTransferred))

Related articles: Order Detection group

Division vs real division operations

...

Maximum (max) operations → create field

When you use this operation in the Data Search to create a new field, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.

As a workaround, you can perform subsequent maximum operations until you have obtained the maximum of all the arguments you need.

Search window

Activeboards

Division

Syntax:

select numberORcolumn \ numberORcolumn as columnName

Create field: select max(value1, value2, value3, value4...) as maxField

Query example:

Code Block
from demo.ecommerce.data

group every 5m by method, statusCode
select count() as count
select count \ 2 as halfCount

Syntax:

select numberORcolumn / numberORcolumn as columnName

Query example:

query(from demo.ecommerce.data
group every 5m by method, statusCode
select count() as count
select count / 2 as halfCount)

Real division

Syntax:

select numberORcolumn / numberORcolumn as columnName

Query example:

from demo.ecommerce.data
group every 5m by method, statusCode
select count() as count
select count / 2 as halfRealCount

Syntax:

select numberORcolumn \ numberORcolumn as columnName

Query example:

query(from demo.ecommerce.data
group every 5m by method, statusCode
select count() as count
select count \ 2 as halfRealCount

Related articles: Division (div, \)Real division (rdiv, /)

Collect distinct operation

This operation will return the set of distinct values for the specified field when grouping events. This operation is not supported in the search window so you need to be careful when using queries from one area to the other. If you want to use it outside Activeboards you can do so with the query API.

...

Search window

...

Activeboards

...

Not supported

...

Syntax:

select collectdistinct(column) as columnName

Query Example:

query (from demo.ecommerce.data
group every 5m by method, statusCode
select collectdistinct(bytesTransferred) as distinctBytesTransferred)

Related articles: Query API

Array operation

When you have fields that contain sets of values as opposed to single values, this operation transforms its data type into an array to be later used to invoke one of the values inside the set. This operation can be used both to create column and as a filter. When used to create a column, the value invoked will be inserted in the new column while as a filter it will be used as filtering criteria.

...


select max(bytesTransferred, timeTaken, statusCode) as `maxField`

Syntax:

Create field: select max(value1, value2) as maxFieldA, max(maxFieldA, value3) as maxFieldB, max(maxFieldB, value4) as maxFieldC...

Query example:

Code Block
query(from demo.ecommerce.data
select max(bytesTransferred, timeTaken) as maxFieldA, max(maxFieldA, statusCode) as maxFieldTotal)

Related articles: Maximum (max)

Minimum (min) operations → create field

When you use this operation in the Data Search to create a new field, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.

As a workaround, you can perform subsequent minimum operations until you have obtained the minimum of all the arguments you need.

Search window

Activeboards

Syntax:

Create field: select min(value1, value2, value3, value4...) as minField

Query example:

Code Block
from demo.ecommerce.data
select min(bytesTransferred, timeTaken, statusCode) as `minField`

Syntax:

Create field: select min(value1, value2) as minFieldA, min(minFieldA, value3) as minFieldB, min(minFieldB, value4) as minFieldC...

Query example:

Code Block
query(from demo.ecommerce.data
select min(bytesTransferred, timeTaken) as minFieldA, min(minFieldA, statusCode) as minFieldTotal)

Related articles: Minimum (min)

Mlevalmodel operation

Mlevalmodel operation is not supported in search window. Use this operation in Activeboards when you want to work with models you uploaded in Model Management.

...

Search window

Activeboards

Not supported

Syntax

Query examples:

Create column: select array(column) [valuePosition] as columnName
Filter: where column operator array(column) [valuePosition]

Query example:

query (from demo.ecommerce.data
group every 1h by method, statusCode
select collectdistinct(timeTaken) as DisTimeTaken
select array(DisTimeTaken) [1] as Array2Time
where statusCode >= array(DisTimeTaken) [1])

Related articles: Query API

Subqueries

Subqueries are not supported in the search window yet so you need to be careful when using queries from one area to the other because you will not be able to reproduce subqueries. If you want to use subqueries out of Activeboards, your only option so far is to use the query API.

...

Search window

...

Activeboards

...

Not supported

...

Syntax:

Create column: select (from tag1.tag2.tag3.tag4) as columnName
Filter: where column in (from tag1.tag2.tag3.tag4) 

Query example:

query(from siem.logtrust.web.activity
select ((
from siem.logtrust.web.navigation
group every - by userEmail
select count()) as inner)
select inner[username] as nav
group by username, nav)

query (from demo.ecommerce.data
where statusCode in
(from demo.ecommerce.data
where statusCode = "404"
where now()- 5m < eventdate < now()
group every - by statusCode)
select method, statusCode, eventdate)

Code Block
from "datatable"
select "fields"
mlevalmodel("domain", "ModelName", "ModelFields") as "NameNewField"

Example:

Code Block
from demo.ecommerce.data
select 
  split(referralUri, "/",2) as domain,
  float(lenght(domain)) as lenght
  shannonentropy(domain) as entropy
  float(countbyfilter(domain, "aeiuoAEIOU")) as p_vowels,
  mlevamodel("self", "example_test", lenght, entropy, p_vowels) as prob
  ifthenelse(prob>0.8, "dga", "legit") as type

Refer article: Model Management

Multiplication, product (mul, *) operations

When you use this operation in the Data Search, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.

As a workaround, you can perform subsequent multiplication operations until you have multiplied all the arguments you need.

Search window

Activeboards

Syntax:

Create field: select mul(value1, value2, value3, value4...) as resultField

Query example:

Code Block
from demo.ecommerce.data
select mul(bytesTransferred, timeTaken, statusCode) as `resultField`

Syntax:

Create field: select mul(value1, value2) as resultFieldA, mul(resultFieldA, value3) as resultFieldB, mul(resultFieldB, value4) as resultFieldC...

Query example:

Code Block
query(from demo.ecommerce.data
select mul(bytesTransferred, timeTaken) as resultFieldA, mul(resultFieldA, statusCode) as resultFieldTotal)

Related articles: Multiplication, product (mul, *)