Allows you to use a CSV Lookup
File as data input for your query. Use this function to search the
content of your .csv file.
readFile() should be used as the first function in
your query (whether a primary query or subquery as part of a join).
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
file[a] | file | required | File name to use as input. | |
include | string | optional[b] | Specifies the column names to read in the lookup file. If no argument is given, all columns are included. | |
limit | number | optional[b] | Limits the number of rows returned. Use limit=N to preview the first N rows of the file. | |
| Minimum | 1 | |||
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
filecan be omitted; the following forms of this function are equivalent:logscalereadFile("value")and:
logscalereadFile(file="value")These examples show basic structure only.
When using this function, the file should exist, either because the file has previously been uploaded (using Uploading Files) or included as part of an installed package.
When reading a file from a package, the package name should be specified in addition to the filename. For example:
readFile("falcon/investigate/logoninfo.csv")For more information on referring to package resources, see Referencing Package Assets.
If you're aiming to preview the content of large files, we recommend
always including the limit
parameter to ensure optimal UI performance. However, when the file is
utilized as data input for further manipulation, the
limit parameter can be
omitted.
readFile() Examples
Preview Content in a Lookup File With readFile()
Preview content in a lookup file in the search portion of a repo without having to match the lookup against data
Query
readFile("host_names.csv")Introduction
The readFile() function can be used to
preview content in a CSV
Lookup File. The
advantage of using the readFile() function
instead of the match() function, is that the
lookup will not be matched against data. In this example, the
readFile() function is used to look up a
host_names.csv file just to preview the content in it.
Example incoming data might look like this:
|--------------------|
| host_name, host_id |
| DESKTOP-VSKPBK8, 1 |
| FINANCE, 2 |
| homer-xubuntu, 3 |
| logger, 4 |
| DESKTOP-1, 5 |
| DESKTOP-2, 6 |
| DESKTOP-3, 7 |
|--------------------|
Step-by-Step
Starting with the source repository events.
- logscale
readFile("host_names.csv")Displays the content of the .csv file.
If you aim to preview the content of large files, we recommend always including the
limitparameter to ensure optimal UI performance. For example:readFile("host_names.csv", limit=5). However, if the file is utilized as data input for further manipulation, thelimitparameter can be omitted.Notice that if reading a file from a package, then the package name should be specified in addition to the filename. For example:
readFile("falcon/investigate/logoninfo.csv"). Event Result set.
Summary and Results
The query is used to preview content in CSV Lookup Files. After
previewing the content with the readFile()
function, it is possible to use the data for further
manipulation, for example combine it with
count() to count the rows,
select() to filter data,
join() to match data, etc. The
readFile() function can also be used to
read tables defined with the defineTable() function.
Sample output from the incoming example data:
| host_id | host_name |
|---|---|
| 1 | DESKTOP-VSKPBK8 |
| 2 | FINANCE |
| 3 | homer-xubuntu |
| 4 | logger |
| 5 | DESKTOP-1 |
| 6 | DESKTOP-2 |
| 7 | DESKTOP-3 |
Sample output from the incoming example data with
limit parameter:
| host_id | host_name |
|---|---|
| 1 | DESKTOP-VSKPBK8 |
| 2 | FINANCE |
| 3 | homer-xubuntu |
| 4 | logger |
| 5 | DESKTOP-1 |
Preview Content in a Lookup File With readFile() and Filter With !join()
Preview content in a lookup file in the search portion of a repo and filter for specific data with the !join() function
Query
readFile("host_names.csv")
| !join(query={groupBy(host_name)}, field=host_name, key=host_name, include=[host_name, id])Introduction
The readFile() function can be used to
preview content in a CSV
Lookup File. In this
example, the readFile() function is used to
look up a host_names.csv file, and then filter for host names that
do not send any logs.
Example incoming data might look like this:
|--------------------|
| host_name, host_id |
| DESKTOP-VSKPBK8, 1 |
| FINANCE, 2 |
| homer-xubuntu, 3 |
| logger, 4 |
| DESKTOP-1, 5 |
| DESKTOP-2, 6 |
| DESKTOP-3, 7 |
|--------------------|
Step-by-Step
Starting with the source repository events.
- logscale
readFile("host_names.csv")Displays the content of the .csv file.
- logscale
| !join(query={groupBy(host_name)}, field=host_name, key=host_name, include=[host_name, id])Filters for host names that do not send any logs.
Event Result set.
Summary and Results
The query is used to preview content in CSV Lookup Files, and then filter for host names that do not send any logs.
Sample output from the incoming example data:
| host_id | host_name |
|---|---|
| 5 | DESKTOP-1 |
| 6 | DESKTOP-2 |
| 7 | DESKTOP-3 |