Skip to content

Commit c4251bb

Browse files
JV0812JV0812
committed
Query syntax fix
1 parent 2b8c6a4 commit c4251bb

File tree

3 files changed

+3
-3
lines changed

3 files changed

+3
-3
lines changed

docs/integrations/amazon-aws/cost-explorer.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ Create a Field Extraction Rule (FER) for AWS Cost Explorer Logs. Learn how to cr
7070
```
7171
* **Parse Expression:** Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “securityprod” alias for an AWS account with ID "123456789" and the “infraprod” alias for an AWS account with ID "987654321", your parse expression would look like:
7272
```sql
73-
json "LinkedAccount"
73+
| json "LinkedAccount"
7474
| if (LinkedAccount = "123456789", "securityprod", LinkedAccount ) as LinkedAccount
7575
| if (LinkedAccount = "987654321", "infraprod", LinkedAccount ) as LinkedAccount
7676
```

docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ _sourceCategory=*Crowdstrike* DetectionSummaryEvent
178178
_sourceCategory=*Crowdstrike* AuthActivityAuditEvent (userAuthenticate or twoFactorAuthenticate)
179179
| json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time
180180
| formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time
181-
| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_tim
181+
| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_time
182182
| formatDate(fromMillis(operation_time), "MM/dd/yyyy HH:mm:ss:SSS") as operation_time
183183
| where success="true"
184184
| count by operation_time, operation_name, src_user, user_ip

docs/metrics/metrics-operators/filter.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ The supported functions are:
5353
Return the time series in which the average value of the CPU_User metric is greater than 95:
5454

5555
```sql
56-
metric=CPU_User | filter avg > 95`
56+
metric=CPU_User | filter avg > 95
5757
```
5858

5959
**Example 2**

0 commit comments

Comments
 (0)