Make map (mkmap)
- Sarah Bigault (Deactivated)
Description
Creates a map from given keys and values.
How does it work in the search window?
Select Create field in the search window toolbar, then select the Make map operation. You need to specify at two arguments:
Argument | Data type |
|---|---|
Key mandatory | Any |
Valuemandatory | Any |
The data type of the values in the new field is map.
Example
In the siem.logtrust.web.activity table, we want to transform the integer values in the SrcPort and Server port fields into a map. To do this, we will create a new field using the Make map operation. Let's call the new field map.
The arguments needed to create the new field are:
Key - SrcPort
value - Server port
Click Create field and you will see the following result:
How does it work in LINQ?
Use the operator select... as... and add the operation syntax to create the new field.
This is the syntax for the Make map operation.
Use:
{1:"a",2:"b"} === mkmap(1,"a",2,"b")
{"b":7,"c":6,"a":5} === mkmap("b",7,"c",6,"a",5)
{:} === mkmap()
{1:null,2:"b",null:"c"} === mkmap(1,null,2,"b",null,"c")Example
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table. Keep in mind that you must download and upload the file provided before to your Devo domain.
from siem.logtrust.web.activity
select {srcPort: serverPort} as map