透過集合功能整理內容
你可以依據偏好儲存及分類內容。
window.first
window.first(values_to_sort_by, values_to_return)
說明
這項匯總函式會傳回字串值,該值衍生自相符時間範圍內相關性最低的整數值事件。舉例來說,您可從比對時間範圍內時間戳記最低的事件 (最早的事件) 取得使用者 ID。
參數資料類型
INT、STRING
傳回類型
STRING
程式碼範例
在比對視窗中,取得與最低相關整數值相關聯的事件所衍生的字串值。
// This rule sets the outcome $first_event to the lowest correlated int value
// in the 5 minute match window.
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$first_event = window.first($e.metadata.timestamp.seconds, $e.metadata.event_type) // yields v1 if the events in the match window are 1, 2 and 3 and corresponding values v1, v2, and v3.
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-07-29 (世界標準時間)。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-07-29 (世界標準時間)。"],[[["\u003cp\u003e\u003ccode\u003ewindow.first\u003c/code\u003e is an aggregation function that retrieves a string value from an event with the lowest correlated integer value within a defined match window.\u003c/p\u003e\n"],["\u003cp\u003eThis function is useful for scenarios like identifying the user ID from the earliest event in a time window.\u003c/p\u003e\n"],["\u003cp\u003eThe function takes two parameters: an integer value to sort by, and a string value to return.\u003c/p\u003e\n"],["\u003cp\u003eIt operates within a match window, such as a 5-minute timeframe, defined by a rule.\u003c/p\u003e\n"],["\u003cp\u003eThe return type of the \u003ccode\u003ewindow.first\u003c/code\u003e function is \u003ccode\u003eSTRING\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["### window.first\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) \n\n window.first(values_to_sort_by, values_to_return)\n\n#### Description\n\nThis aggregation function returns a string value derived from an event with the lowest correlated int value in the match window. An example use case is getting the userid from the event with the lowest timestamp in the match window (earliest event).\n\n#### Param data types\n\n`INT`, `STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\nGet a string value derived from an event with the lowest correlated int value in the match window. \n\n // This rule sets the outcome $first_event to the lowest correlated int value\n // in the 5 minute match window.\n events:\n $e.user.userid = $userid\n match:\n $userid over 5m\n outcome:\n $first_event = window.first($e.metadata.timestamp.seconds, $e.metadata.event_type) // yields v1 if the events in the match window are 1, 2 and 3 and corresponding values v1, v2, and v3."]]
