Selecting specific fields in LINQ
To get going, open Data search → Explore your data and click on the Free text query option (see Run a LINQ free text query for more info). Here, you can build your query using LINQ (see Build a query using LINQ for more info).
Choosing fields
Enter from
and the table name, followed by select
and the fields you want to appear. If needed, remember that you may add a new name to the field using the operator as
. The fields will only appear in the search window under their new names.
from table
select field1 as name
select field2 as name
Select all fields option
Uncheck this box in the bottom right of the query if you only want to show the selected fields. This option is activated by default and will display all of the table's fields in the search window, regardless of the fields you select to display.
If you don't know the field names, or the table has a large number of fields, click on the Show table fields button and the list of fields will appear on the right. Use the filter to search for the names of the fields if you cannot see them at a glance. Clicking on the headings Name and Type will organize them into their respective alphabetical order.
Also, the LINQ smart editor will show you the names of the fields that match as you type. Learn more about how to write queries using the LINQ syntax Build a query using LINQ.
Below you can see that—having unchecked Select all fields—only the selected fields are displayed, which in this case are eventdate
, domain
, method
, and sessionid
.
Once the table is open, you can still modify the query to include tables you did not include earlier or exclude them in case you do not need them. All you need to do is open the Query code editor and use the above syntax. As in the Free text query, you can click on the Show table fields button to see all of the available fields in the data table.
Operations using the Free text query
Devo allows you to run operations directly from the Free text query, with the process functioning just like selecting specific fields in LINQ as detailed above.
from table
select operation (field)
You can run multiple operations at once but the data returned cannot be used for further operations, such as alerts, etc.
Select all fields option
Uncheck this box in the bottom right if you only want to return the results of the operations, otherwise they will be added to new fields at the end of the table.
Duplicating fields
Leaving the Select all fields option activated while simultaneously selecting specific fields will result in all of the table's fields being displayed, with the selected ones being duplicated at the end of the other fields. This function can be useful if you wish to duplicate the information contained in a certain field and display it under a different name. In that case, you can enter the following free text query:
from table
select field1 as name
select field2 as name
The original fields will still be displayed but the duplicates, under their new names, will appear near the very end of the query. In this example, we again use the table siem.logtrust.web.activity
and want to rename the eventdate
field as when and the method
field as how. We leave Select all fields activated.
Change fields shown in an open search
If you open a data table using the Finder option without selecting any fields, then all of the fields are shown in the search window. Therefore, if you later select a field using the Query code editor this simply creates a duplicate which is added at the end of the other fields. You can use this function as above to duplicate existing fields and give them new names.