Skip to main content Link Search Menu Expand Document (external link)

Extraction - let

Table of contents
  1. let
    1. let in data selction
    2. let in data processing
    3. example

let

let in data selction

The usage of the command let in data selection usually coupled with f.

let {agentID} = f("@sentinelOneAgent.translation")

or

let agentID = f("@sentinelOneAgent.translation")

or

let {ID="agentID"} = f("@sentinelOneAgent.translation")

In the first and second expression, the “agentID” in the left hand has to be the exact name of a variable in “@sentinelOneAgent.translation”. If you want to rename the variable, use the third expression, i.e., name “ID” after “agentID”.

Three usages of let are given in the above example.

let in data processing

The command let in data processing is after the selction.

  • let A=functionX(B) B has to be variable.

Readers are direct to “Data processing” to see all the functions.

example

An Example contains both selection and processing:

search {from="-8d@d", to="@d"}  
let timestamp=f("@timestamp")    //selection
let Type=condition(timestamp>=timerelative(timenow(),"-1d@d"),"Yesterday","LastWeek")     //processing
timechart {span="1h"} count() by Type 
let Hour=strftime("%H:%M", timestamp)  
aggregate YesterdayCount=max(Yesterday), AvgCount=avg(LastWeek) by Hour