Versions Compared

Old Version 5

changes.mady.by.user Sarah Bigault

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

How does it work in the search window?

Select Create field in the search window toolbar, then select the Conditional operation. You need to specify three arguments:

Argument

Description

Data type

if mandatory

Boolean field that will be used as the base of your condition.

boolean

then mandatory

The value you specify here will be returned if the value of the Boolean field is true.

Any

else mandatory

The value you specify here will be returned if the value of the Boolean field is false.

Same than or compatible with the data type selected in then (for example, integer and float are compatible types)

The data type of the output values depends on the types selected in the then and else arguments.

Example

In the siem.logtrust.web.activity table, we want to add a field that shows the string Delayed response when the values in our responseTime field are above 1, and Timely response when they are 1 or below. To do this, we will create a new field using the Conditional operation but first, we need to create a Boolean field that detects delayed responses (above 1)..

...

The first step is creating a Boolean field that shows true when the numbers in the responseTime field are above 1, and false when they are 1 or below. To do this, we will add a new field using the greater than operation. Fill the arguments as follows, and enter a name for the field (responseTime>1):

...

Step 2: Create a new field using the Conditional operation

Select Create field on the query toolbar, then select Conditional as the operation. Fill the arguments as follows, and enter a name for the field (responseTimeDuration):

...

  • ifthenelse(boolean, value1_true, value2_false)

Example

You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity  table. 

Code Block
from siem.logtrust.web.activity
  select responseTime > 1 as `responseTime>1`,
    ifthenelse(`responseTime>1`, "Delayed response", "Timely response") as responseTimeFrame