Skip to main content
Question

I want to assign department names to each feed id using a data table

  • October 23, 2025
  • 5 replies
  • 75 views
Kohei1117
Forum|alt.badge.img+3

I want to assign a department name to each feed ID using a data table.
I want to assign a department name to the Department variable for each feed_id used for import.
The data table contains a combination of feed_id and department name for each row.
 

For example, when the feed_id is "86d50640-a952-4723-8001-fbbc22e7c446", I want the Department variable to be set to "C".
Is this possible?

I tried creating the following query, but it didn't work.
---------
ingestion.log_type = "CISCO_MERAKI"

$Department = if(ingestion.feed_id in %imano_feed_id.feed_id,%imano_feed_id.department ,"other")

match:
$Department

outcome:
$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)

order:
$Volume desc
---------
The error message is as follows:
compilation error compiling query: validating query: unsupported Data Table field imano_feed_id as argument in function IfThenElse line: 4 column: 1-97 : invalid argument

If the above is difficult, is it possible to manually set the department and only compare the feed_id from the data table?
For example, I'd like to assign "C" to $Department only if the feed_id is listed in the data table, as shown below, but this doesn't work either. $Department = if(ingestion.feed_id in %imano_feed_id.feed_id,"C","other")

When I try this, I get the following error.


If you know how to implement this, please let me know.

5 replies

James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • October 24, 2025

Just a quick question, is there a reason why you’re not adding the department as an ingestion label for each feed instead of trying to calculate this after ingestion? You could modify each feed and add an ingestion label with a key of “Department” and a value of “C” or “A”, etc...

dnehoda
Kohei1117
Forum|alt.badge.img+3
  • Kohei1117
  • Author
  • New Member
  • October 27, 2025

Just a quick question, is there a reason why you’re not adding the department as an ingestion label for each feed instead of trying to calculate this after ingestion? You could modify each feed and add an ingestion label with a key of “Department” and a value of “C” or “A”, etc...

Thank you for your reply.

We also tested the method of assigning labels, but when the log type is "ingestion.log_type", the label field could not be used.
Therefore, we are using the feed_id field instead.

 

We have also verified that similar behavior can be reproduced using "namespace", but we asked this question to find out whether it is technically possible to use data tables to categorize departments for future reference.

James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • October 27, 2025

I see what you’re saying. You’re using the ingestion dataset instead of the UDM event dataset for the dashboard and the ingestion_label isn’t carried over from the UDM events to the ingestion dataset.

 

I don’t think it’s possible to join a data table to anything other than  UDM Event (Search/Dashboards) or an Entity (Dashboards), but I’ll verify. You could continue down the path of the conditional statement and instead of using a data table, hard code the feed IDs into the query. It’s not ideal, but would work.

If you have Google SecOps Ent+, which has managed Big Query, you could create something with that dataset to be able to join.

 

 

Kohei1117
Forum|alt.badge.img+3
  • Kohei1117
  • Author
  • New Member
  • October 28, 2025

I see what you’re saying. You’re using the ingestion dataset instead of the UDM event dataset for the dashboard and the ingestion_label isn’t carried over from the UDM events to the ingestion dataset.

 

I don’t think it’s possible to join a data table to anything other than  UDM Event (Search/Dashboards) or an Entity (Dashboards), but I’ll verify. You could continue down the path of the conditional statement and instead of using a data table, hard code the feed IDs into the query. It’s not ideal, but would work.

If you have Google SecOps Ent+, which has managed Big Query, you could create something with that dataset to be able to join.

 

 

Thank you for your reply and investigation.

I also appreciate your efforts in verifying whether the data table can be used to combine information. Sorry for the trouble, but I’d be grateful if you could share the results once they’re available.

James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • October 28, 2025

I validated that it’s currently not possible to join a data table to the ingestion dataset, only UDM events/entities. Below is an example of hard coding the feed id's, again, not ideal but works.

 

ingestion.log_type = "CISCO_MERAKI"

$Department = if(ingestion.feed_id = "Feed ID", "A" ,
              if(ingestion.feed_id = "Feed ID", "B", 
              if(ingestion.feed_id = "Feed ID", "C")))

match:
ingestion.feed_id, $Department

outcome:
$Volume = math.round(sum(ingestion.log_volume) / (1000), 2)

order:
$Volume desc

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.