...
In order to inject data into a new table, you need to have a role with management permissions on the Manage version of the my.app injections (Administration → Roles → Permissions tab permission (know more about permissions here).
Having only the view version will allow you only to view those tables but not to inject data yourself.
...
Create injections
To perform a data injection:
Go to Data Search and open the table you want to use as the source for your injection. Apply the desired operations (filters, new columns, etc.) to get only the data you want to inject into the new table. There are some things you need to consider about grouping events and hiding columns when building your query (see special considerations section below).
Click the gear icon options menu in the table toolbar and select New → Injection into my.app.
Fill the required fields in the New injection into my.app window (see the window below).
Click Save when you're done.
...
Tables where you injected data always have a column named sourceTable that indicates the source table of each event. This information is important when creating a my.app
table and inject data from several tables. Learn more about this in the following section.
...
Inject data from several tables
...
For example, the capture below shows an injection table with data from the demo.ecommerce.data
and siem.logtrust.web.activity
tables. In this case, the column bytesTransferred comes from the demo.ecommerce.data
table, and the column domain belongs to the siem.logtrust.web.activity
table. Checking the sourceTable column, you can see from which table the events come, and the bytesTransferred and domain columns show null if the column does not exist in the source table.
...
Coinciding column name
If two or more of the tables used to generate the injection table have a column with the same name, two things may occur:
If the data type of the columns with the same name is not the same, you will get an error message and the injection will not be created unless you perform the necessary transformations to either make the data type coincide (columns merged) or the column name differs (separate columns).
If the data type of the columns with the same name is the same, they will be merged in a single column. In the following capture, both the
demo.ecommerce.data
andsiem.logtrust.web.activity
tables have a column named method and its data type is string in both tables.
...
Anchor | ||||
---|---|---|---|---|
|
Special considerations
...
Real-time | Data injections are done in real-time. This means that you cannot inject data already in memory; only events that are currently streaming to your Devo domain. The data flow will start from the moment the injection is created. |
---|---|
Group events | If your source query groups events, they must be grouped by time and more than one key to be used for data injection. |
Hide and show columns | Be aware that only columns shown on the table will be injected, so make sure you hide those columns you want to exclude from the injection and show those you want to include. However, there are two exceptions to this.
|
Alerts | It is not possible to create alerts in tables with injected data. The New Alert Definition button will not appear on the search window toolbar when accessing these tables. (Confirm this when the functionality is implemented)Alerts created on tables that has been injected with data from another table (my.app tables) will not work as expected so you must not create them. |
Reinjecting injected data | After injecting data into a different domain, you can reinject it to a new table in the same domain. However, choosing a different domain is not possible. |
Separate injections | When you inject data from several tables, each of the injections defined will be saved separately in the Injections tab of the Data Management area, so you must name them differently. The only thing that must match is the name of the |
...