Jq filter compilation (jqcompile)
Description
Compiles a jq filter to be used as an argument of the Jq evaluation (jqeval) operation. For information about jq filters, see the jq online documentation.
How does it work in the search window?
Select Create field in the search window toolbar, then select the Jq filter compilation operation. You need to specify one argument:
Argument | Data type | Description |
---|---|---|
Filter mandatory | string | The filter to locate the part of the json syntax from which to extract the data. You can manually enter the string or select a field with string data type. For a successful extraction using it as an argument in the Jq evaluation (jqeval) operation, the jq filter specified must coincide with the name of an item inside the intended JSON and must start with a dot operator (.) – jq filters always start with a dot. |
The data type of the values in the new field is jq.
Example
In this example, in the siem.logtrust.web.activity
table, we will create a jq filter to locate a specific item inside a JSON, which can be later used as an argument in the Jq evaluation (jqeval) operation.
Click the Create field button on the toolbar, select the Jq filter compilation (jqcompile) operation and give the new field a name.
Add the necessary argument and configure it as shown in the picture below:
jq → select the pencil icon and write → .city
Click Create field and a new field will be created with the specified jq filter.
Now you have your new field ready to use as an argument in the Jq evaluation (jqeval) operation.
How does it work in LINQ?
Use the operator select
... as
... and add the operation syntax to create the new field. This is the syntax for the Jq filter compilation operation:
jqcompile(.string)
Example
You can use the following LINQ script to recreate the example above in any table (for example, in siem.logtrust.web.activity
):
from siem.logtrust.web.activity
select jqcompile(".city") as jqFilter