Inject data to a new table
Data injections allow you to create a new table using data from an already existing table. You can modify and enrich the data as required and inject only the necessary information into the new table, and even send it to a different domain. Data injection may be used, for example, to create a table including only the data you need to work with from a very large table. Tables where data is injected always start with
my.app and will include data from the moment you created the injection. Learn more in Special Devo tags.
To perform a data injection:
Go to Data Search and open the table you want to use as a source for your injection. Modify it as needed applying filters, creating new columns, etc to get only the data you want to inject in the new table.
If your source query groups events, they must be grouped by time intervals in order to be used for a data injection.
Click the gear icon in the table toolbar and select Table Operations → Inject into my.app.
Fill the required fields in the Inject in my.app window.
The following table describes the fields in the Inject in my.app window:
Name Enter a name for the data injection. Special characters are not allowed. Description Enter an optional description for the data injection. my.app. Decide the tag for the new table that will contain the injected data. The first two levels are always
my.appand you can decide the name of the other two levels. They must begin with a letter and continue with other letters and/or numbers. Spaces or special characters are not allowed.
Send to other domain Check this box if you want to send the injected data to a different domain. Select one of the two available options:
- A domain owned by me - Send the new table to one of the domains your user belongs to. Select the required one from the list.
- External domain - Send the new table to a domain your user does not belong to. You must enter the domain name and API key.
- Click Save when you're done.
After the injection has been performed, go to Data Search and select my → app in the finder to access all the tables where you injected data.
Tables where you injected data always have a column named sourceTable that indicates the source table of each event. This information is important when you create a
my.app table and inject data from several tables. Learn more about this in the following section.
Inject data from several tables
You can use the data from different tables in your domain and inject it to a single
To do it, access one of the tables you want to use, prepare the data as required and inject it to a
my.app table following the process explained above. Then, access the rest of the tables you want to use and repeat the process, indicating the same
my.app tag levels entered in the first one.
Each of the injections defined will be saved separately in the Injections tab of the Data Management area, so you must name them differently. The only thing that must match is the name of the
my.app table that will store the injected data.
my.app table generated, the data table from which each event comes from will be indicated in the sourceTable column. The table will include all the columns from the source tables added, and they will show null for events that come from tables where the column does not exist. For example, the capture below shows an injection table with data from the
siem.logtrust.web.activity tables. In this case, the column bytesTransferred comes from the
demo.ecommerce.data table, and the column domain belongs to the
siem.logtrust.web.activity table. Checking the sourceTable column, you can see from which table the events come, and the bytesTransferred and domain columns show null if the column does not exist in the source table.
If two or more of the tables used to generate the injection table have a column with the same name, two things may occur:
- If the data type of the columns with the same name is the same, they will be merged in a single column. In the following capture, both the
siem.logtrust.web.activitytables have a column named method and its data type is string in both tables.
- If the data type of the columns with the same name is not the same, each column will be added to the injection table separately, with the name columnName_sourceTable.
After injections are created, they appear in the Injections tab of the Administration → Data management area. Check the Injections section to learn how to manage them.