Allows you to use a CSV Lookup File as data input for your query. Use this function to search the content of your .csv file.

readFile() should be used as the first function in your query (main or subquery).

ParameterTypeRequiredDefaultDescription
file[a]filerequired  File name to use as input.
includestringoptional[b]  Specifies the column names to read in the lookup file. If no argument is given, all columns are included.
limitnumberoptional[b]  Limits the number of rows returned. Use limit=N to preview the first N rows of the file.

[a] The argument name file can be omitted.

[b] Optional parameters use their default value unless explicitly set

Omitted Argument Names

The argument name for file can be omitted; the following forms of this function are equivalent:

logscale
readFile("value")

and:

logscale
readFile(file="value")

These examples show basic structure only; full examples are provided below.

When reading a file from a package, the package name should be specified in addition to the filename. For example:

logscale
readFile("falcon/investigate/logoninfo.csv")

For more information on referring to pacakge resources, see Referencing Package Assets.

If you're aiming to preview the content of large files, we recommend always including the limit parameter to ensure optimal UI performance. However, when the file is utilized as data input for further manipulation, the limit parameter can be omitted.

readFile() Examples

Given a host_names.csv file with columns host_name and host_id:

|--------------------|
| host_name, host_id |
| DESKTOP-VSKPBK8, 1 |
| FINANCE, 2         |
| homer-xubuntu, 3   |
| logger, 4          |
| DESKTOP-1, 5       |
| DESKTOP-2, 6       |
| DESKTOP-3, 7       |
|--------------------|
  • Display the first five rows of the file:

    logscale
    readFile("host_names.csv", limit=5)

    It will generate:

    host_idhost_name
    1DESKTOP-VSKPBK8
    2FINANCE
    3homer-xubuntu
    4logger
    5DESKTOP-1
  • Count the number of rows in the file:

    logscale
    readFile("host_names.csv")
    | count()
  • Validate if the host name DESKTOP-VSKPBK8 is present in the file:

    logscale
    readFile("host_names.csv")
    | host_name = "DESKTOP-VSKPBK8"
    | select([host_name, host_id])
  • Find host names that don't send any logs:

    logscale
    readFile("host_names.csv")
    | !join(query={groupBy(host_name)}, field=host_name, key=host_name, include=[host_name, id])

    It will generate:

    host_idhost_name
    5DESKTOP-1
    6DESKTOP-2
    7DESKTOP-3