...
Test them together in Data Search
| Code Block | ||
|---|---|---|
| ||
from siem.logtrust.web.activity
//create a set
select mkset(srcHost,params) as mkset_string
select {srcHost, params}
//convert an into a set
select [1,2,3] as array,
set(array) as toset_int,
//check if the set is empty
isempty(mkset_string) as isemty,
//what is the length of the array
length(mkset_string) as length,
//does the set contain a specific item?
toset_int -> 2 as has,
//add values to a set
"new value" + mkset_string as add_va,
//join a set. Concatenates all the values of a set
join(mkset_string, ",") as join_set
//Get distinct values in a set out of a grouped field
//group select collectdistinct(responseLength) as responseLength_sizedistinct |
...
Operation | Description | Syntax | Example | Result Value | Result Type |
|---|---|---|---|---|---|
Creates an array from elements | mkarray (ele_1, … ,ele_n) | mkarray (1.33,2,3,4) mkarray (“One", "two", "Number 3“) [ “One", 77 ] mkarray (domain, responseTime) | [1.33, 2, 3, 4] | array(float) array(str) array(str) array(str) | |
Creates an array by splitting a string field | split (string, string) |
| [1, 2, 3, 4] | array | |
Checks if an array is empty | isempty (array) | isempty ([1, 2, 3]) isempty ([ ]) | false true | bool | |
Returns the length of an array | length (array) | length ([1, 2, 3, 4, 5, 6]) | 6 | Int | |
Checks the occurrence of a specified value in a given array | •has (array, ele) •array -> ele | has ([30, 2, 77], 77) [30, 2, 77] -> 77 | true true | bool | |
Checks the occurrence of a specified value in a given array | `in` (ele, array) ele <- array | `in` (77, [30, 2, 77]) 77 <- [30, 2, 77] | true true | bool | |
Appends some value to the end of an array | add (array, ele) | add ([30, "Peter", 77], "Ann") | [30, Peter, 77, Ann] | array(str) | |
Concatenates two arrays | add (array_1, array_2) | add ([5, "Peter", 77], [77, "Ann", 400]) | [5, Peter, 77, 77, Ann, 400] | array(str) | |
Joins the strings of a given | join (array_str) | join ([1, "Peter", 77, 77, "Ann"]) | 1Peter7777Ann | str | |
Returns the n-th element of | at (array, n) | at ([10, 20, 3.33, 40], 1) | 20 | float | |
Returns a subarray between | at (array, from, to) | at ([10, 20, 30, 40], 1, 3) | [20, 30] | array(int) | |
Returns the index of the first | indexof (array, ele) | indexof ([10, 20, 3.33, 40], 3.33) | 2 | int | |
Drops null elements of a given array | dropnulls (array) | dropnulls ([3, null, 77, null]) | [3, 77] | array(int) | |
Sorts the elements of a | sort (array) | sort ([3, 77, 30, 1) | [1, 3, 30, 77] | array(int) | |
Reverses the elements of | reverse | reverse ([3, 77, 30, 1) | [1, 30, 77, 3] | array(int) | |
Sums the values of a | sum (array) | sum([1,2,3,4]) | 10 | Int |
...
Test them together in Data Search
| Code Block | ||
|---|---|---|
| ||
from siem.logtrust.web.activity
//create an array
select mkarray(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as array1
select ["hi", "i_am_in_a_set"] as array2
//convert a set to an array
select {serverPort, srcPort} as set1
select array(set1) as array3
//filter or check the occurrance of a value in an array
select "hi" in array2
select array2 -> "hi"
//length of an array
select length(array2)
//add a value
select array2 + "example" as array_with_example
//drop nulls
select dropnulls(array2) as array_without_nulls
//reverse an array
select reverse(array2) as array_reversed
select reverse("hello") as _treat_strings_as_arrays
//sum numeric arrays
select sum([1,5,8]) as _14 |
...
Test them together in Data Search
| Code Block | ||
|---|---|---|
| ||
from siem.logtrust.web.activity //create a tuple with multiple types select mktuple(username, ip4(srcHost), mm2coordinates(ip4(srcHost)), true) as tuple select (username ,srcPort, ip4(srcHost), true) as tuple2 //some ways to select the first item from a tuple select tuple[0] as first_item_from_tuple select tuple[-1] as last_item_from_tuple_ select at(tuple,0) as first_item_from_tuple2 //SUB-QUERY: find the occurrence of a specific IP in another table during the same period of time select (from siem.logtrust.web.navigation group by srcHost select srcHost) -> srcHost as _ip_occurrence_in_another_table //SUB-QUERY: return the "origin" field in another table matching by user email select (from siem.logtrust.web.navigation group by userEmail, origin)[username] as userInSubq //SUB-QUERY: return the tuple (userEmail, count()) from another table matching by the tuple (email, level) select (from siem.logtrust.web.navigation group by userEmail, level select userEmail, count())[username, level] as match //it is possible to filter each item by the underlying data type where tuple[0] -> "@" where tuple[-1] not in (ip4(95.63.39.51)) |
...
Test them together in Data Search
| Code Block | ||
|---|---|---|
| ||
from siem.logtrust.web.activity
//create a JSON object
select jsonparse("{\"str\": \"hi\", \"int\": 1}") as json
//Extract a Property Value
//select json["int"] as extract_int //doesn't work in Data Search at the moment
select jqeval(jqcompile(".int"), json) as extract_int_alt
//Convert a JSON to a string
select stringify(json) as json_to_strinc
//Determine Data Type of a JSON Value
select label(jqeval(jqcompile(".int"), json)) as int_type |