Document toolboxDocument toolbox

Devo Last Event Date

Description

This unit is a Source unit type.

The Devo Last Event Date unit finds the date of the latest event in a specified Devo table and appends it to the input event in the field set in the properties.

Once an event enters through the in port, the query specified in the properties is issued.

Events are output through the data port with the date of the last record in the table is added to the event in the field indicated in configuration.

If an error occurs, the events are enriched with standard error fields and set to the error output port.

Configuration

After dragging this unit into the Flow canvas, double-click it to access its configuration options. The following table describes the configuration options of this unit:

Tab

Field

Description

Tab

Field

Description

General

Name

Enter a name for the unit. It must start with a letter, and cannot contain spaces. Only letters, numbers, and underscores are allowed.

Description

Enter a description detailing the scope of the unit.

Table name

Enter the name of the table to be consulted in Devo.

Column name

Enter a name for the output event field containing the last event date.

Lookback period

The interval of how far back in time to search. The lookback can be performed from a minimum of 600,000 milliseconds (10 minutes) and a maximum of 10 days.

Input ports

Port

Description

Port

Description

in

All input events enter via this port.

Output ports

Port

Description

Port

Description

data

This port outputs events enriched with a field containing the last date found.

error

This port outputs events that generated an error when evaluated against the expression. Standard error fields (error, exception) are added to the output events.

Example

In this example, we want to send an event every ten seconds to the Devo Last Event Date to show how the time of this last event is inserted into a specified data table in Devo.

To do it, we will add a Scheduler unit that will send events to the table every ten seconds.

Then, we will define the destination table using the Devo Last Event Date unit as siem.logrust.web.activity.

Link the out port of the Scheduler unit to the in port of the Devo Last Event Date unit.

Download this example

You can try this flow by downloading the following JSON file and uploading it to your domain using the Import option: