/
At (at)
Document toolboxDocument toolbox

At (at)

Owned by Former user (Deleted)
Last updated: Mar 05, 2025 by Laszlo Frazer
2 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

Extracts content from complex types by treating the data as a function.

How does it work in the search window?

Select Create field in the search window toolbar, then select the At operation. You need to specify the following argument:

Argument

Data type

Argument

Data type

Tuple mandatory

tuple, array, map, or json

at mandatory

integer

string (Only if Tuple is a json)

final

integer (Only if Tuple is an array)

If the first argument is a tuple, the value of at is an element of the first argument specified by the second argument, using a zero indexed integer.

If the first argument is an array, the value of at is a subarray of the first argument beginning at the second argument, using a zero indexed integer. If the third argument is omitted, only one element is returned instead of an array.

If the first argument is a map, at evaluates the map using the second argument as a key.

If the first argument is a json, the value of at is a json:

  • The value of the JSON object with a key equal to the second argument, or

  • The value of the JSON array element specified by the second argument, using a zero indexed integer.

Example

In the siem.logtrust.web.activity table, we want to extract the second element of a tuple we’ve generated using the Make tuple operation. To do this, we will create a new field using the At operation. Let's call the new field Tuple1.

The arguments needed to create the new field are:

  • Tuple - Tuple

  • at - 1

Screenshot 2024-05-09 at 16.54.37.png

Click Create field and you will see the following result:

Screenshot 2024-05-09 at 16.57.06.png

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new field.

This is the syntax for the At operation.

Use:

at(tuple, n)

or

(tuple)[n]

If a JSON object has a key named key, to extract the corresponding value use:

select at(json,"key")

Example

You can copy the following LINQ scripts and try the above example on the siem.logtrust.web.activity table:

from siem.logtrust.web.activity select (srcPort, serverPort, ) as Tuple select Tuple[1] as Tuple1

 

from siem.logtrust.web.activity select jsonparse("{\"p\": [1, 2, 3]}") as json select at(json, "p") as retrieve_with_at

Related content