Document toolboxDocument toolbox

Inject data to a new table

Overview

Please note that using data injections may entail an extra charge to your usual Devo subscription fee.

Data injections allow you to create a new table using data from an already existing table. You can modify and enrich the data as required, inject only the necessary information into the new table, and even send it to a different domain.

Data injection may be used, for example, to create a table including only the data you need to work with from a very large table. Tables where data is injected always start with my.app and will include data from the moment you created the injection. Learn more in Special Devo tags.

Data injections are done in real-time. This means that you cannot inject data already in memory; only events that are currently streaming to your Devo domain. The data flow will start from the moment the injection is created.

What permissions do I need?

In order to inject data into a new table, you need to have a role with management permissions on my.app injections (Administration → Roles → Permissions tab).

Having only the view version will allow you only to view those tables but not to inject data yourself.

Create injections

To perform a data injection:

  1. Go to Data Search and open the table you want to use as the source for your injection. Apply the desired operations (filters, new columns, etc.) to get only the data you want to inject into the new table. There are some things you need to consider about grouping events and hiding columns when building your query (see special considerations section below).

  2. Click the gear icon in the table toolbar and select New → Injection into my.app.

  3. Fill the required fields in the New injection into my.app window (see the window below).

  4. Click Save when you're done.

New injection into my.app window

Name

Enter a name for the data injection. Special characters are not allowed.

Description

Enter an optional description for the data injection.

my. app.

Decide the tag for the new table that will contain the injected data. The first two levels are always my.app. They must begin with a letter and not include spaces or special characters.

Send to other domain

Check this box to send the injected data to a different domain. Once you inject data into a different domain, reinjecting data poses some restrictions (see special considerations section below).

  • A domain owned by me - Select one from the list of domains your user belongs to.

  • External domain - Enter the domain name and API key of a domain your user does not belong to.

Check injected tables

After the injection has been performed, go to Data Search and select my → app in the finder to access all the tables where you injected data. This kind of table presents some restrictions considering alerts (see special considerations section below).

Tables where you injected data always have a column named sourceTable that indicates the source table of each event. This information is important when creating a my.app table and inject data from several tables. Learn more about this in the following section.

Inject data from several tables

You can use the data from different tables in your domain and inject it into a single my.app table.

To do it, access one of the tables you want to use, prepare the data as required and inject it into a my.app table following the process explained above. Then, access the rest of the tables you want to use and repeat the process, indicating the same my.app tag levels entered in the first one. The different injections performed will be considered separately (see special considerations section below).

In the my.app table generated, the data table from which each event comes from will be indicated in the sourceTable column. The table will include all the columns from the source tables added, and they will show null for events that come from tables where the column does not exist.

For example, the capture below shows an injection table with data from the demo.ecommerce.data and siem.logtrust.web.activity tables. In this case, the column bytesTransferred comes from the demo.ecommerce.data table, and the column domain belongs to the siem.logtrust.web.activity table. Checking the sourceTable column, you can see from which table the events come, and the bytesTransferred and domain columns show null if the column does not exist in the source table.

Coinciding column name

If two or more of the tables used to generate the injection table have a column with the same name, two things may occur:

  • If the data type of the columns with the same name is not the same, you will get an error message and the injection will not be created unless you perform the necessary transformations to either make the data type coincide (columns merged) or the column name differs (separate columns).

  • If the data type of the columns with the same name is the same, they will be merged in a single column. In the following capture, both the demo.ecommerce.data and siem.logtrust.web.activity tables have a column named method and its data type is string in both tables.

Special considerations

Injections are complex processes that entail a number of specificities regarding concept and execution:

Real-time

Data injections are done in real-time. This means that you cannot inject data already in memory; only events that are currently streaming to your Devo domain. The data flow will start from the moment the injection is created.

Group events

If your source query groups events, they must be grouped by time and more than one key to be used for data injection.

Hide and show columns

Be aware that only columns shown on the table will be injected, so make sure you hide those columns you want to exclude from the injection and show those you want to include. However, there are two exceptions to this.

  • Columns added to the table without assigning them a name will be ignored, even if they are shown. This way:
    select duration(responseTime) → will not be injected
    select duration(responseTime) as duration →  will be injected

  • If the table contains columns labeled as extra, they will not be injected unless you rename them. To know more about this type of column, check the following article: Selecting unrevealed columns.

Alerts

Alerts created on tables that has been injected with data from another table (my.app tables) will not work as expected so you must not create them.

Reinjecting injected data

After injecting data into a different domain, you can reinject it to a new table in the same domain. However, choosing a different domain is not possible.

Separate injections

When you inject data from several tables, each of the injections defined will be saved separately in the Injections tab of the Data Management area, so you must name them differently. The only thing that must match is the name of the my.app table that will store the injected data.

Manage injections

After injections are created, they appear in the Injections tab of the Administration → Data management area. Check the Injections section to learn how to manage them.