Due to architectural differences, the LINQ syntax presents some particularities in Activeboards and the search window. Therefore, keep in mind that copying a LINQ query from the search window and pasting it into an Activeboard widget, or vice versa, might not work. Before examining the differences explained below, you can visit Build a query using LINQ to know the standard procedures when working with LINQ.
Tip
You don't need to transform your search window queries if you use the My last search queries and My favorite search queries boxes in the Data menu of the Activeboards area. They will be automatically transformed into the required format and will be added as aggregation tasks when required.
Addition, sum, plus / Concatenation (add, +) operations
When you use this operation in the Data Search, you can add as many arguments as needed (where applicable), however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent adding operations until you have added all the arguments you need.
Search window | Activeboards |
|---|---|
Syntax: Create field: Query example: from demo.ecommerce.data select add(bytesTransferred, timeTaken, statusCode) as `totalField` | Syntax: Create field: Query example: query(from demo.ecommerce.data select add(bytesTransferred, timeTaken) as totalFieldA, add(totalFieldA, statusCode) as totalFieldFinal) |
Related articles: Addition, sum, plus / Concatenation (add, +)
Comparison operations
Operations inside the detection group that imply comparing elements (such as equal, greater than, less than, etc.) are slightly adjusted in queries used from the search window to Activeboards or vice versa. On a general basis, both constructions work fine in both areas but each area has one of them as the default. This can create confusion because of the automatic transformations that are carried out in several processes when bringing queries from one place to the other. Here you have the preferred syntax for each of them, both to filter and create field:
Search window | Activeboards |
|---|---|
Syntax: Create field: Query example: from demo.ecommerce.data where method = "POST"select timeTaken >= bytesTransferred | Syntax: Create field: Query example: query(from demo.ecommerce.data where eq(method, "POST")select ge(timeTaken, bytesTransferred)) |
Related articles: Detection group
Lookup operations
Queries to use lookup operations present some particularities that make them incompatible when used from the search window to Activeboards or vice versa. The use of symbols is different and the domain name is required in one of them.
Search window | Activeboards |
|---|---|
Syntax:
Query example: from demo.ecommerce.data select `lu/IP_list/StreetAddress`(clientIpAddress) as `IP street address` | Syntax:
Query example: query(from demo.ecommerce.data
select lu("IP_list", "StreetAddress", clientIpAddress) as `IP street address`)
|
Related article: Data enrichment
Maximum (max) operations → create field
When you use this operation in the Data Search to create a new field, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent maximum operations until you have obtained the maximum of all the arguments you need.
Search window | Activeboards |
|---|---|
Syntax: Create field: Query example: from demo.ecommerce.data select max(bytesTransferred, timeTaken, statusCode) as `maxField` | Syntax: Create field: Query example: query(from demo.ecommerce.data select max(bytesTransferred, timeTaken) as maxFieldA, max(maxFieldA, statusCode) as maxFieldTotal) |
Related articles: Maximum (max)
Minimum (min) operations → create field
When you use this operation in the Data Search to create a new field, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent minimum operations until you have obtained the minimum of all the arguments you need.
Search window | Activeboards |
|---|---|
Syntax: Create field: Query example: from demo.ecommerce.data select min(bytesTransferred, timeTaken, statusCode) as `minField` | Syntax: Create field: Query example: query(from demo.ecommerce.data select min(bytesTransferred, timeTaken) as minFieldA, min(minFieldA, statusCode) as minFieldTotal) |
Related articles: Minimum (min)
Mlevalmodel operation
Mlevalmodel operation is not supported in search window. Use this operation in Activeboards when you want to work with models you uploaded in Model Management.
Search window | Activeboards |
|---|---|
| Query examples: from "datatable"
select "fields"
mlevalmodel("domain", "ModelName", "ModelFields") as "NameNewField"
Example: from demo.ecommerce.data
select
split(referralUri, "/",2) as domain,
float(lenght(domain)) as lenght
shannonentropy(domain) as entropy
float(countbyfilter(domain, "aeiuoAEIOU")) as p_vowels,
mlevamodel("self", "example_test", lenght, entropy, p_vowels) as prob
ifthenelse(prob>0.8, "dga", "legit") as type
|
Refer article: Model Management
Multiplication, product (mul, *) operations
When you use this operation in the Data Search, you can add as many arguments as needed, however, the number of arguments is limited to two when used in Activeboards.
As a workaround, you can perform subsequent multiplication operations until you have multiplied all the arguments you need.
Search window | Activeboards |
|---|---|
Syntax: Create field: Query example: from demo.ecommerce.data select mul(bytesTransferred, timeTaken, statusCode) as `resultField` | Syntax: Create field: Query example: query(from demo.ecommerce.data select mul(bytesTransferred, timeTaken) as resultFieldA, mul(resultFieldA, statusCode) as resultFieldTotal) |
Related articles: Multiplication, product (mul, *)