使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
window.first
window.first(values_to_sort_by, values_to_return)
说明
此聚合函数会返回一个字符串值,该值源自匹配窗口中相关性最低的整数值对应的事件。一个用例示例是,从匹配窗口中时间戳最低(最早)的事件中获取用户 ID。
形参数据类型
INT,STRING
返回类型
STRING
代码示例
获取在匹配窗口中与最低相关整数值对应的事件派生的字符串值。
// This rule sets the outcome $first_event to the lowest correlated int value
// in the 5 minute match window.
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$first_event = window.first($e.metadata.timestamp.seconds, $e.metadata.event_type) // yields v1 if the events in the match window are 1, 2 and 3 and corresponding values v1, v2, and v3.
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-29。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-29。"],[[["\u003cp\u003e\u003ccode\u003ewindow.first\u003c/code\u003e is an aggregation function that retrieves a string value from an event with the lowest correlated integer value within a defined match window.\u003c/p\u003e\n"],["\u003cp\u003eThis function is useful for scenarios like identifying the user ID from the earliest event in a time window.\u003c/p\u003e\n"],["\u003cp\u003eThe function takes two parameters: an integer value to sort by, and a string value to return.\u003c/p\u003e\n"],["\u003cp\u003eIt operates within a match window, such as a 5-minute timeframe, defined by a rule.\u003c/p\u003e\n"],["\u003cp\u003eThe return type of the \u003ccode\u003ewindow.first\u003c/code\u003e function is \u003ccode\u003eSTRING\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["### window.first\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) \n\n window.first(values_to_sort_by, values_to_return)\n\n#### Description\n\nThis aggregation function returns a string value derived from an event with the lowest correlated int value in the match window. An example use case is getting the userid from the event with the lowest timestamp in the match window (earliest event).\n\n#### Param data types\n\n`INT`, `STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\nGet a string value derived from an event with the lowest correlated int value in the match window. \n\n // This rule sets the outcome $first_event to the lowest correlated int value\n // in the 5 minute match window.\n events:\n $e.user.userid = $userid\n match:\n $userid over 5m\n outcome:\n $first_event = window.first($e.metadata.timestamp.seconds, $e.metadata.event_type) // yields v1 if the events in the match window are 1, 2 and 3 and corresponding values v1, v2, and v3."]]
