Selecting specific fields in LINQ
- Juan Tomás Alonso Nieto (Deactivated)
- Borja Moro Moreno
Overview
To get going, open Data search → Explore your data and click on the Free text query option. Here, you can build your query using LINQ.
What permissions do I need?
To use this feature you don’t need a specific permission apart from the Free text queries permission required to perform searches using queries. Visit this article to know more about free text queries.
Choosing fields
Enter from and the table name, followed by select and the fields you want to appear. If needed, remember that you may add a new name to the field using the operator as. The fields will only appear in the search window under their new names.
from tableselect field1 as nameselect field2 as name
Select all fields option
Uncheck this box in the bottom right of the query if you only want to show the selected fields. This option is activated by default and will display all of the table's fields in the search window, regardless of the fields you select to display.
If you don't know the field names, or the table has a large number of fields, click on the Show table fields button and the list of fields will appear on the right. Use the filter to search for the names of the fields if you cannot see them at a glance. Clicking on the headings Name and Type will organize them into their respective alphabetical order.
Also, the LINQ smart editor will show you the names of the fields that match as you type. Learn more about how to write queries using the LINQ syntax Build a query using LINQ.
Below you can see that—having unchecked Select all fields—only the selected fields are displayed, which in this case are eventdate, domain, method, and sessionid.
Operations using the Free text query
Devo allows you to run operations directly from the Free text query, with the process functioning just like selecting specific fields in LINQ as detailed above.
from tableselect operation (field)
You can run multiple operations at once but the data returned cannot be used for further operations, such as alerts, etc.
Select all fields option
Uncheck this  box in the bottom right if you only want to return the results of the operations, otherwise they will be added to new fields at the end of the table.
Duplicating fields
Leaving the Select all fields option activated while simultaneously selecting specific fields will result in all of the table's fields being displayed, with the selected ones being duplicated at the end of the other fields. This function can be useful if you wish to duplicate the information contained in a certain field and display it under a different name. In that case, you can enter the following free text query:
from tableselect field1 as nameselect field2 as name
The original fields will still be displayed but the duplicates, under their new names, will appear near the very end of the query. In this example, we again use the table siem.logtrust.web.activity and want to rename the eventdate field as when and the method field as how. We leave Select all fields activated.
Change fields shown in an open search
If you open a data table using the Finder option without selecting any fields, then all of the fields are shown in the search window. Therefore, if you later select a field using the Query code editor this simply creates a duplicate which is added at the end of the other fields. You can use this function as above to duplicate existing fields and give them new names.
Â