Is in (`in`, <-)
- Juan Tomás Alonso Nieto (Deactivated)
Description
You can apply this operation either as a Filter or Create column operation:
Filter | Checks for the presence of one or more values in a given string. The filter will identify those strings containing at least one of the indicated values. You can also use this operation to filter IPv4 or IPv6 addresses that belong to a specific net, using CIDR notation. |
|---|---|
Create column | Adds a new Boolean column that shows true only for those strings that contain at least one of the indicated values. You can also use this operation to create a new column that shows true for IPv4 or IPv6 addresses that belong to a specific net, using CIDR notation. |
This operation is case sensitive. Use the Is in - case insensitive (weakin) operation if you need to apply this filter ignoring case.
How does it work in the search window?
Select Filter / Create column in the search window toolbar, then select the Is in operation. This operation requires at least two arguments:
Value and is in if you select string values. Optionally, you can add as many or also arguments as you need.
IP and in net if you select an ip field and a net4 field, or enter it manually. Nets in the selected field or entered manually must follow the format x.x.x.x/s (CIDR).
Argument | Data type |
|---|---|
Value / IP mandatory | string / ip / ip6 |
is in / in net mandatory | string / net4 / net6 |
or also | string |
If you use the Create column operation, the data type of the values in the new column is boolean (true or false).
You can also use the Contains (has, ->) operation to check for the presence of values in a given string, the only difference is the order of the arguments. The Is in operation requires you to first indicate the value(s) to check and then the general string (value IS IN string), and the Contains operation works the other way around (string CONTAINS value).
Example
In the demo.ecommerce.data table, we want to get only the events that contain the word product, screen or both in the uri column. To do it, we will apply a Filter using the Is in operation.
The arguments needed for the filter are:
Value - Click the pencil icon and enter product
or also - Click the pencil icon and enter screen
is in - uri column
Click Filter data and you will see the following result:
Click Create column and follow the same steps to add a new Boolean column that shows true when the strings in the uri column contain product, screen or both.
How does it work in LINQ?
Use the operator where... to apply the Filter operation and select... as... to apply the Create column operation. These are the valid formats of the Is in operation:
string_value <- string_general
Note that this format does not admit more than two arguments. Use the format below if you need to add several arguments.`in`(string_value1, string_value2... string_general)ip <- net4`in`(ip, net4)
Example
You can copy the following LINQ scripts and try the above example on the demo.ecommerce.data table:
from demo.ecommerce.data
where `in`("product", "screen", uri)And this is the same example using the Create column operation:
from demo.ecommerce.data
select `in`("product", "screen", uri) as product_screen_uriYou can also apply this operation using the <- operator. However, this syntax does not admit more than two arguments, so you can only add a value to be searched in the selected field. In the following examples, we want to detect events containing product in the uri column:
from demo.ecommerce.data
where "product" <- uriAdditional LINQ examples
The following queries use the Is in operation to get the IP addresses in the clientIpAddress column that belong to the net 48.126.91.0/24  Both syntaxes are valid.