Drop nulls (dropnulls)
- Sarah Bigault (Deactivated)
Description
This operation removes the nulls of a given array.
How does it work in the search window?
Select Create field in the search window toolbar, then select the Drop nulls operation. You need to specify one argument:
Argument | Data type |
|---|---|
Array mandatory | Array Use the Make Array (mkarray) operation to convert a field to array data type. |
The data type of the values in the new field is Array.
Example
In the siem.logtrust.web.activity table, we want to transform the integer values in the SrcPort and Server port fields into arrays and then remove any null values. To do this, we will create a new field using the Make array operation. Let's call the new field Array.
The arguments needed to create the new field are:
value - SrcPort
value - Server port
Now we wish to drop any null values from the existing array.
The arguments needed to create the new field are:
value - SrcPort
Click Create field to return a new column with all null values removed.
How does it work in LINQ?
Use the operator select... as... and add the operation syntax to create the new field.
This is the syntax for the Drop nulls operation.
Use:
dropnulls([1,null,2,null,3,null,4]) === [1,2,3,4]
dropnulls(["a","b",null,"c","d"]) === ["a","b","c","d"]
dropnulls([null,null,null]) === [] Example
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table.
from siem.logtrust.web.activity
select [serverPort, srcPort] as Array,
dropnulls(Array) as nonullsÂ
Â