The readFile() function outputs the content of CSV lookup files or ad-hoc tables as events. This allows you to use a CSV Lookup File
and ad-hoc table as data input. For more information about ad-hoc tables, see Using Ad-hoc Tables.
Note
It is recommended to use the readFile() function at the beginning of the query. Using the function later in the query will always discard anything before it, and only return the content of the files or tables.
Limits the number of rows returned. Use limit=N to preview the first N rows of the files and tables. The files or tables will be outputted in the specified order, until the limit has been reached.
If you are aiming to preview the content of large files, LogScale
recommends always including the
limit parameter to
ensure optimal UI performance. However, when the file is
utilized as data input for further manipulation, the
limit parameter
can be omitted.
If you aim to preview the content of large files, we recommend always
including the limit
parameter to ensure optimal UI performance. For example:
readFile("host_names.csv", limit=5).
However, if the file is utilized as data input for further
manipulation, the limit
parameter can be omitted.
Notice that if reading a file from a package, then the package name
should be specified in addition to the filename. For example:
readFile("falcon/investigate/logoninfo.csv").
Event Result set.
Summary and Results
The query is used to preview content in CSV Lookup Files. After
previewing the content with the readFile()
function, it is possible to use the data for further manipulation, for
example combine it with count() to count the rows,
select() to filter data,
join() to match data, etc.
In this example, the defineTable() function is used
as a right join query to extract and combine information from two
different datasets.
The event set for the query is in one repository, but the event set for
each query is shown separately to identify the two sets of information.
The first event set is:
Defines a new ad-hoc table that uses all the fields
(username and
operation) in a table named
operations.
logscale
|readFile(users)
Reads the users ad-hoc table as events
using readFile().
logscale
|match(operations,field=username,strict=false)
Matches the events that have a matching operation from the
operations table with the
users table using the
username as the common field.
Events are not filtered if the events do not match, (implying a right
join), by using strict=false
logscale
|select([username,operation])
Selects the username and
operation fields to be displayed
from the event set.
Event Result set.
Summary and Results
The result will output two events:
username
operation
user1
createdFile
user2
no value
Note that in the event set all operations have been included even when
there is no match between the
username field, resulting in the
no value for
user2. If
strict=true had been used to
the match() function, then the event for
user2 would not have been outputted.
