Is in (`in`, <-)
You can apply this operation either as a Filter or Create column operation:
Checks for the presence of one or more values in a given string. The filter will identify those strings containing at least one of the indicated values.
You can also use this operation to filter IPv4 or IPv6 addresses that belong to a specific net, using CIDR notation.
Adds a new Boolean column that shows true only for those strings that contain at least one of the indicated values.
You can also use this operation to create a new column that shows true for IPv4 or IPv6 addresses that belong to a specific net, using CIDR notation.
This operation is case sensitive. Use the Is in - case insensitive (weakin) operation if you need to apply this filter ignoring case.
How does it work in the search window?
Select Filter / Create column in the search window toolbar, then select the Is in operation. This operation requires at least two arguments:
- Value and is in if you select string values. Optionally, you can add as many or also arguments as you need.
IP and in net if you select an ip field and a net4 field, or enter it manually. Nets in the selected field or entered manually must follow the format x.x.x.x/s (CIDR).
|Value / IP (mandatory)||string / ip / ip6|
|is in / in net (mandatory)||string / net4 / net6|
If you use the Create column operation, the data type of the values in the new column is boolean (true or false).
You can also use the Contains (has, ->) operation to check for the presence of values in a given string, the only difference is the order of the arguments. The Is in operation requires you to first indicate the value(s) to check and then the general string (value IS IN string), and the Contains operation works the other way around (string CONTAINS value).
demo.ecommerce.data table, we want to get only the events that contain the word product, screen or both in the uri column. To do it, we will apply a Filter using the Is in operation.
The arguments needed for the filter are:
- Value - Click the pencil icon and enter product
- or also - Click the pencil icon and enter screen
- is in - uri column
Click Filter data and you will see the following result:
Click Create column and follow the same steps to add a new Boolean column that shows true when the strings in the uri column contain product, screen or both.
How does it work in LINQ?
Use the operator
where... to apply the Filter operation and
as... to apply the Create column operation. These are the valid formats of the Is in operation:
string_value <- string_general
Note that this format does not admit more than two arguments. Use the format below if you need to add several arguments.
`in`(string_value1, string_value2... string_general)
ip <- net4
You can copy the following LINQ scripts and try the above example on the
from demo.ecommerce.data where `in`("product", "screen", uri)
And this is the same example using the Create column operation:
from demo.ecommerce.data select `in`("product", "screen", uri) as product_screen_uri
You can also apply this operation using the
<- operator. However, this syntax does not admit more than two arguments, so you can only add a value to be searched in the selected field. In the following examples, we want to detect events containing product in the uri column:
from demo.ecommerce.data where "product" <- uri
from demo.ecommerce.data select "product" <- uri as product_uri
Additional LINQ examples
The following queries use the Is in operation to get the IP addresses in the clientIpAddress column that belong to the net 220.127.116.11/24 Both syntaxes are valid.
from demo.ecommerce.data where clientIpAddress <- 18.104.22.168/24
from demo.ecommerce.data where `in`(clientIpAddress, 22.214.171.124/24)