Hello everyone, the latest release of the Devo Platform is now live! Release 8.12.0 introduces SubQueries to Data Search! That’s right, this powerful feature previously available through API is now available directly in Data Search and you can start using it right away! A Subquery makes it possible for you to use information from different sources in a single consultation and further restricts the data to be retrieved. We are excited to re-introduce Subqueries as a powerful tool in your Data Search toolbox. Check out the full article that lists requirements and an example LINQ query below!
Geo Availability
| Region | Status |
|---|---|
| CA | Released |
| US | Released |
| EU | Released |
| APAC | Released |
Table of Contents
Feature Enhancement
Subqueries now available in Data Search
Subqueries have been available for some time through other components and API but now you can use this powerful feature directly in Data Search!
What is a subquery?
A Subquery removes the limitations of a single search by using the result of a query (subquery) to act as a condition in another query, thus making it possible to use information from different sources in a single consultation and further restrict the data to be retrieved.
Requirements
Subqueries in Data Search need to be:
Non-contextual - The Subquery must be syntactically and semantically correct, if you extract it from the query it should run. There is no information transfer between query and subquery.
Time-bound in the past - Subqueries must always be time-bound and defined in the past.
Learn more in our documentation
Example
The most common use case for Subqueries uses the in operator to determine if the values of a specific field in a table match any of the values in the set of results of a subquery.
from siem.logtrust.web.activity
where username in (
from siem.logtrust.web.navigation
where '2024-09-10 07:21:35' <eventdate< '2024-09-12 12:21:35'
group every - by userEmail)
where domain in (
from siem.logtrust.web.navigation
where '2024-09-10 07:21:35' <eventdate< '2024-09-12 12:21:35'
group every - by domain)
group every 10m by username, domain
select count()
If you haven’t tried them yet, please do and let us know what you think!