_field


The _field is a query directive which helps you to add a new field in the existing DNIF log fields.

Let’s have a look at a simple _field query function

_field $TimeD time_delta @now + 21d

Syntax

_field <$fieldname>
Functions: time_delta | string | if_then | switch_case
           expr | diff_day | diff_minute | diff_hour

The _field directive is simple and SQL like, it allows you

  • to perform arithmetic functions on field
  • to perform date and time expression
  • to perform Boolean Condition

Let’s see how to use _field directive. For this, let’s have a look at the simple _field query:-

_fetch * from event where $LogType=FIREWALL limit 10
>>_field $TimeD time_delta @now + 21d

Here, _fetch directive is used to retrieve data from event repository from allowed scope. In the above query , we are retrieving only those events for which the logs are generated from the FIREWALL. The _field directive is used to add a new field as $TimeD in the data field and add 21 days on field $TimeD with the current date and time.

The result of _field queries screenshot on DNIF console :

Add new fields or columns to add context or calculated values

Different Queries of _field directive.

_fetch * from event where $Duration=24h AND $LogType=FIREWALL limit 10
>>_field $TimeD time_delta $CNAMTime + 21d

The _fetch directive retrieve the data from event. The _field directive is add a new field as $Timed in the data from event and add 21 from $CNAMTime.

_fetch * from event where $LogType=FIREWALL limit 10
>>_field $Tusker if_then $SrcCN,["IN","GB"],"Good","Bad"

In the above query, the _field directive add new field as $Tusker and in this query example, if the Source IP is IN and GB then it will show logs as Good and other than IN and GB it will show logs as Bad.

_fetch * from event where $SrcCN=GB AND $LogType=FIREWALL limit 10
>>_field $Tucker expr $EvtLen + 100

In the above query, the _field directive add new field as $Tusker and in this query example, we use arithmetic expression and add 100 on $EvtLen.

_fetch * from event where $LogType=FIREWALL AND $SrcCN=US limit 10
>>_field $Tucker switch_case $SrcCN ["IN", "BH"]: "INDIA"; ["US"]: "USA"

In the above query, the _field directive add new field as $Tusker and in this query example, if we have Source Country IN or BH it will show INDIA in $Tusker field, and Source Country US will show USA in $Tusker field.

_fetch * from event where $LogType=FIREWALL limit 10
>>_field $TimeInDays diff_hour $SystemTstamp, $CNAMTime

In the above query, the _field directive add new field as $Tusker and in this query example, we are checking the difference in hour in between $SystemTstamp and $CNAMTime. We can also use diff_minute and diff_day.