Skip to main content Link Search Menu Expand Document (external link)

Data Processing

Table of contents
  1. Data Processing: Processing
  2. Data Processing: Presenting

The data processing is not a required part to make a piece of FPL code works. Some simple goals can be achieved by only using the data selection and the results display automatically by default without any processing. But for most cases in practice, the data processing is the core part to get what you want.

The data processing usually consists of two parts. The first one is “processing”, doing the core processing procedure, including the simple processing of one variable, and complicated processing based on several variables. The second one is “presenting”, deciding what and how to show in the results.

The data processing procedure is always after the data selection.

An example is given to explain the structure described above.

search sContent("@behaviors","O365_AzureAD_UserLoggedIn")
let {username="ObjectId"}=f("@fields"),_timestamp=f("@timestamp")
aggregate timestamp=max(_timestamp),count() by username
let createdOn=strftime("%a, %d %b %Y %T %z",timestamp)
table username, createdOn

In this example, the first and second sentences are data selection. The third and fourth ones are the “processing” part of data processing. At the end, the fifth sentence is the “presenting” part of data processing.

Data Processing: Processing

The processing part is to do some specific calculations on the raw data extracted from database.

See details and examples in all the subsections except the table,except,top and sort.

Data Processing: Presenting

This part is mainly about to purposes. The first is what to show in the results. There are probably many variables produced, but only some of them are what we are interested and want to present. For this purpose, see functions and examples: table; except; top.

The second is to reorder. See: sort.


Table of contents