I’m trying to add in a step to my workflow, which will take an already extracted username and country, then search our ingress log for any results, and from those results determine whether it was a Windows or mobile device used.
So I have an Advanced Query on Log set up with the following:
LEQL Query : where(account=“{{Username}}” and geoip_country_name=“{{Country}}”)
Last 12 Hours
Timeout 60
Log:
What I get back is an array of objects of the logs it has found, but I’m unsure how to pull out the required information from that array. I need information from the following fields:
source_json.properties.deviceDetail.displayName
source_json.properties.deviceDetail.operatingSystem
Normally if I’m doing a manual log search for what this workflow would do, I would do a groupby so I get the required information easily (see below), but I dont think this is possible to do in the workflow step.
where(account=“{{Username}}” and geoip_country_name=“{{Country}}”) groupby(source_json.properties.deviceDetail.displayName)
How can I pull the required fields from the array of log objects?