CONST section is used to define strings and numbers that can be reused multiple times within Cortex Query Language (XQL) statements in other
INGEST sections by using
$constName. This can be helpful to avoid writing the same value in multiple sections, similar to constants in modern programming languages.
[CONST] DEFAULT_DEVICE_NAME = "firewall3060"; // string FILE_REGEX = "c:\\users\\[a-zA-Z0-9.]*"; // complex string my_num = 3; /* int */
An example of using a
CONST inside XQL statements in other
INGEST sections using
The dollar sign (
$) must be adjacent to the
[CONST] name, without any whitespace in between.
... | filter device_name = $DEFAULT_DEVICE_NAME | alter new_field = JSON_EXTRACT(field, $FILE_REGEX) | filter age < $MAX_TIMEOUT | join type=$DEFAULT_JOIN_TYPE conflict_strategy=$DEFAULT_JOIN_CONFLICT_STRATEGY (dataset=my_lookup) as inn url=inn.url ...
NOTICE: Only quoted or integer terminal values are considered valid for
CONST sections. For example, these will not compile:
[CONST] WORD_CONST = abcde; //invalid func_val = regex_extract(_raw_log, "regex"); // not possible RECURSIVE_CONST = $WORD_CONST; // not terminal - not possible
CONST sections are meant to replace values. Other types, such as column names, are not supported:
... | filter $DEVICE_NAME = "my_device" // illegal ...
A few more points to keep in mind when writing
CONSTnames are not case-sensitive. They can be written in any user-desired casing, such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase. For example,
CONSTnames must be unique inside a section, and across all sections of the file. You cannot have the same
CONSTname defined again in the same section, or in any other
CONSTsections in the file.
Since section order is unimportant, you do not have to declare a
CONSTbefore using it. You can have the
CONSTsection written below other sections that use those
CONSTis an add-on to the Parsing Rule syntax and is optional to configure.
CONSTsyntax is derived from XQL, but a few modifications as explained in the Parsing Rules syntax.