I want to assign department names to each feed id using a data table

Question

I want to assign a department name to each feed ID using a data table.
I want to assign a department name to the Department variable for each feed_id used for import.
The data table contains a combination of feed_id and department name for each row.

For example, when the feed_id is "86d50640-a952-4723-8001-fbbc22e7c446", I want the Department variable to be set to "C".
Is this possible?

I tried creating the following query, but it didn't work.
---------
ingestion.log_type = "CISCO_MERAKI"

$Department = if(ingestion.feed_id in %imano_feed_id.feed_id,%imano_feed_id.department ,"other")

match:
$Department

outcome:
$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)

order:
$Volume desc
---------
The error message is as follows:
compilation error compiling query: validating query: unsupported Data Table field imano_feed_id as argument in function IfThenElse line: 4 column: 1-97 : invalid argument

If the above is difficult, is it possible to manually set the department and only compare the feed_id from the data table?
For example, I'd like to assign "C" to $Department only if the feed_id is listed in the data table, as shown below, but this doesn't work either. $Department = if(ingestion.feed_id in %imano_feed_id.feed_id,"C","other")

When I try this, I get the following error.

If you know how to implement this, please let me know.

AbdElHafez · Answer

Hi ​@Kohei1117, Just as an alternative suggestion before I look into the data table, would not it be easier to use add ingestion labels to your feeds and then build your report based on the labels instead ?You could add the ingestion labels from the feed properties from SIEM Settings > Feeds > Edit Feed

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded