Skip to main content

V1 - Extraction - f

f

• f("resourceName")

The command f is the core function of the FPL language. Fields can be extracted from resources and system log using this function.

sip = f("sip")

or

 {userID, workload} = f("@office365")

For a resource which has a multiple-layer structure, the "resourceName" inside the f must be the nearest category to the variable you want. For example:

let {agentID} = f("@sentinelOneAgent.translation")

In this example, "agentID" is in the category of "translation". If one tries let {agentID} = f("@sentinelOneAgent"), there would be an error.

f can be used for multiple times to extract more than one variables, but it must be placed before the data processing commands. Generally, if the code is started with search pipe, the order is: search-f-data processing.