Skip to main content Link Search Menu Expand Document (external link)

Processing - except

Table of contents
  1. except


  • except {variable}=rightTable

The command except means removing rows from the current table that match the rightTable with the specific columns. The target of the command is the current table.


function previouslySeen()
  search {from="-28d<d",to="-21d<d"} sStartswith("@cloudtrail.eventName","Run") or sStartswith("@cloudtrail.eventName","Create")
  let {sourceIPAddress}=f("@cloudtrail")
  aggregate old=count() by sourceIPAddress

function recentlySeen()
  search {from="-21d<d",to="-14<d"} sStartswith("@cloudtrail.eventName", "Run") or sStartswith("@cloudtrail.eventName","Create")
  let {eventName, awsRegion, sourceIPAddress, eventTime } = f("@cloudtrail")
  let {city,country} = f("@cloudtrail._ip")
  aggregate firstSeen=min(eventTime), lastSeen=max(eventTime), records=count() by sourceIPAddress, city, country, eventName
  sort 100 records

stream previous=previouslySeen()
stream recent=recentlySeen()

except {sourceIPAddress}=previous

The result table “previous”, “recent” and the last (current) table are shown above. Obviously, both of “previous” and “recent” have a column (variable) named “SourceIPAddress” but the members of this variable are different between the two tables. Other columns are also different. The last command except {sourceIPAddress}=previous looks up each element of “SourceIPAddress” of “previous” (rightTable) in the same column of the current table (“recent”), and removes the whole row of “recent” where the element of “SourceIPAddress” of “SourceIPAddress” matches the one of “recent”.