V1 - Extraction - let

let

let in data selction

The usage of the command let in data selection usually coupled with f.

let {agentID} = f("@sentinelOneAgent.translation")

let agentID = f("@sentinelOneAgent.translation")

let {ID="agentID"} = f("@sentinelOneAgent.translation")

In the first and second expression, the "agentID" in the left hand has to be the exact name of a variable in "@sentinelOneAgent.translation". If you want to rename the variable, use the third expression, i.e., name "ID" after "agentID".

Three usages of let are given in the above example.

let in data processing

The command let in data processing is after the selction.

let A=functionX(B)

B has to be variable.

Readers are direct to "Data processing" to see all the functions.

Example

An Example contains both selection and processing:

search {from="-8d@d", to="@d"}  
let timestamp=f("@timestamp")    //selection
let Type=condition(timestamp>=timerelative(timenow(),"-1d@d"),"Yesterday","LastWeek")     //processing
timechart {span="1h"} count() by Type 
let Hour=strftime("%H:%M", timestamp)  
aggregate YesterdayCount=max(Yesterday), AvgCount=avg(LastWeek) by Hour

V1 - Extraction - let

let​

let in data selction​

let in data processing​

Example​

let

let in data selction

let in data processing

Example