Bag (bag)
- Sarah Bigault (Deactivated)
Description
This operation maps the elements of the given array and their count.
How does it work in the search window?
Select Create field in the search window toolbar, then select the Bag operation. You need to specify at least one argument:
Argument | Data type |
|---|---|
Array mandatory | Array(str) Use the Make Array (mkarray) operation to convert a field to array data type. |
The data type of the values in the new field is map.
Example
In the siem.logtrust.web.activity table, we want to transform the integer values in the params into an array to later use the Bag operation.Â
To do this, we will first use the Make array operation to transform the params field into an array data type for further use.
Now we can use this array to create a new field using the Bag operation.
The arguments needed to create the new field are:
Array - Array
Click Create field and you will see the following result:
How does it work in LINQ?
Use the operator select... as... and add the operation syntax to create the new field.
This is the syntax for the Join operation.
Use:
bag([5,3,7,2,4,1,6]) === {1:1,2:1,3:1,4:1,5:1,6:1,7:1}
bag(["c","g","b","e","a","f","d"])+ === {"a":1,"b":1,"c":1,"d":1,"e":1,"f":1,"g":1}
bag([0,1,1,0,1,0,0]) === {0:4, 1:3}
bag([1,null,2,null,3]) === {null:2, 1:1, 2:1, 3:1}Example
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table. Keep in mind that you must download and upload the file provided before to your Devo domain.
from siem.logtrust.web.activity
select [params] as Array,
bag(Array) as BagÂ
Â