Preview Content in a Lookup File With readFile()
Preview content in a lookup file in the search portion of a repo without having to match the lookup against data
Query
readFile("host_names.csv")Introduction
The readFile() function can be used to preview
content in a CSV Lookup
File. The advantage of using the readFile()
function instead of the match() function, is that
the lookup will not be matched against data.
In this example, the readFile() function is used to
look up a host_names.csv file just to preview the content in it.
Example incoming data might look like this:
|--------------------|
| host_name, host_id |
| DESKTOP-VSKPBK8, 1 |
| FINANCE, 2 |
| homer-xubuntu, 3 |
| logger, 4 |
| DESKTOP-1, 5 |
| DESKTOP-2, 6 |
| DESKTOP-3, 7 |
|--------------------|Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0>Augment Data] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
readFile("host_names.csv")Displays the content of the .csv file.
If you aim to preview the content of large files, we recommend always including the
limitparameter to ensure optimal UI performance. For example:readFile("host_names.csv", limit=5). However, if the file is utilized as data input for further manipulation, thelimitparameter can be omitted.Notice that if reading a file from a package, then the package name should be specified in addition to the filename. For example:
readFile("falcon/investigate/logoninfo.csv"). Event Result set.
Summary and Results
The query is used to preview content in CSV Lookup Files. After
previewing the content with the readFile()
function, it is possible to use the data for further manipulation, for
example combine it with count() to count the rows,
select() to filter data,
join() to match data, etc.
The readFile() function can also be used to read
tables defined with the defineTable() function. See
Perform a Right Join Query to Combine Two Datasets
Sample output from the incoming example data:
| host_id | host_name |
|---|---|
| 1 | DESKTOP-VSKPBK8 |
| 2 | FINANCE |
| 3 | homer-xubuntu |
| 4 | logger |
| 5 | DESKTOP-1 |
| 6 | DESKTOP-2 |
| 7 | DESKTOP-3 |
Sample output from the incoming example data with
limit parameter:
| host_id | host_name |
|---|---|
| 1 | DESKTOP-VSKPBK8 |
| 2 | FINANCE |
| 3 | homer-xubuntu |
| 4 | logger |
| 5 | DESKTOP-1 |