Allows you to use a CSV Lookup
File as data input for your query. Use this function to search the
content of your .csv
file.
readFile()
should be used as the first function in
your query (main or subquery).
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
file [a] | file | required | File name to use as input. | |
include | string | optional[b] | Specifies the column names to read in the lookup file. If no argument is given, all columns are included. | |
limit | number | optional[b] | Limits the number of rows returned. Use limit=N to preview the first N rows of the file. | |
[b] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
file
can be omitted; the following forms of this function are equivalent:logscalereadFile("value")
and:
logscalereadFile(file="value")
These examples show basic structure only; full examples are provided below.
When reading a file from a package, the package name should be specified in addition to the filename. For example:
readFile("falcon/investigate/logoninfo.csv")
For more information on referring to pacakge resources, see Referencing Package Assets.
If you're aiming to preview the content of large files, we recommend
always including the limit
parameter to ensure optimal UI performance. However, when the file is
utilized as data input for further manipulation, the
limit
parameter can be
omitted.
readFile()
Examples
Given a host_names.csv
file with columns
host_name and host_id:
|--------------------|
| host_name, host_id |
| DESKTOP-VSKPBK8, 1 |
| FINANCE, 2 |
| homer-xubuntu, 3 |
| logger, 4 |
| DESKTOP-1, 5 |
| DESKTOP-2, 6 |
| DESKTOP-3, 7 |
|--------------------|
Display the first five rows of the file:
logscalereadFile("host_names.csv", limit=5)
It will generate:
host_id host_name 1 DESKTOP-VSKPBK8 2 FINANCE 3 homer-xubuntu 4 logger 5 DESKTOP-1 Count the number of rows in the file:
logscalereadFile("host_names.csv") | count()
Validate if the host name DESKTOP-VSKPBK8 is present in the file:
logscalereadFile("host_names.csv") | host_name = "DESKTOP-VSKPBK8" | select([host_name, host_id])
Find host names that don't send any logs:
logscalereadFile("host_names.csv") | !join(query={groupBy(host_name)}, field=host_name, key=host_name, include=[host_name, id])
It will generate:
host_id host_name 5 DESKTOP-1 6 DESKTOP-2 7 DESKTOP-3