This operator applies a filter to the list. The filter may be templated, in which case the template is instantiated once per row from the parent table using the values from that row as needed, and the resulting expression is used to filter the list.
Operator Usage in Easy Mode
- Click + on the Start node.
Note: Query from List is a datasource and therefore can be added under Start only. - Enter the Query from List operator in the search field and select the operator from the Results to open the operator form.
- In the Name drop-down, enter or select the name of a list to load the data from.
- In the Filter field, enter a value in the AND or OR operators.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
LQL Command
queryFromList(list_name, filter, input_table)
Input Parameters:
list_name
: The name of the list. This is a string.
input_table
: Name of the input table. The table should not have more than 500 rows.
filter
: This is a templatized string for the WHERE clause of an SQL statement. When this SQL clause is evaluated to true for an entry in the list, the entry will be in the result. An example of the filter syntax is this: "ip = '$ip_addr'"
. Here, the filter specifies that it will get the value from the ip_addr
column from the input table and compose a WHERE clause fragment with it. For example ip = '172.217.14.23'
for the row of the input table where the column ip_addr
has the value '172.217.14.23'. The output of this operator are all the entries from the list that match any of these WHERE clauses.
Putting this example in the syntax of the LQL would read like this:
Example
queryFromList("suspicious_hosts", "ip = '$ip_addr'", bad_ips)
In this example, table bad_ips
is has the ip_addr
column, and we use that value to build the filter.