Error When Executing UDM Stats Search Query With Array_distinct Function

Introduction

When working with the SecOps SDK, you may encounter errors when executing UDM stats search queries that contain the array_distinct function. This issue arises due to the way the get_stats function handles single value cell results versus multi-value cell results. In this article, we will delve into the problem, explore the differences between single value and multi-value cell results, and provide a solution to resolve the error.

Understanding the Issue

The error occurs on line 323 of the get_stats function, where it attempts to access the value property of the col["values"][i] object. However, this approach only accounts for single value cell results, which have the following structure:

Single Value Cell Results

"values": [
  {
    "value": {
      "stringVal": "XXX"
    }
  },
  {
    "value": {
      "stringVal": "YYY"
    }
  },
]

In contrast, multi-value cell results, such as those produced by the array_distinct function, have a different structure:

Multi-Value Cell Results (e.g. Array_Distinct)

"values": [
  {
    "list": {
      "values": [
        {
          "stringVal": "X1"
        },
        {
          "stringVal": "X2"
        }
      ]
    }
  },
  {
    "list": {
      "values": [
        {
          "stringVal": "Y1"
        },
        {
          "stringVal": "Y2"
        }
      ]
    }
  },
]

As you can see, the main difference lies in the presence of a list property, which contains an array of values.

The Problem with Line 323

The issue with line 323 is that it assumes all cell results are single value cells, which is not the case when dealing with multi-value cell results. When the array_distinct function is used, the get_stats function attempts to access the value property of the col["values"][i] object, which does not exist. This results in an error.

Solution

To resolve this issue, we need to modify the get_stats function to handle both single value and multi-value cell results. We can achieve this by checking the type of the col["values"][i] object and accessing the value property accordingly.

Here's an updated version of the get_stats function that handles both single value and multi-value cell results:

def get_stats(col):
    # Check if the cell result is a single value cell
    if isinstance(col["values"][0], dict) and "value" in col["values"][0]:
        # Access the value property
        value = col["values"][0]["value"]
    # Check if the cell result is a multi-value cell
    elif isinstance(col["values"][0], dict) and "list" in col["values"][0]:
        # Access the list property and extract the values
        value = col["values"][0]["list"]["values"]
    else:
        # Handle other types of cell results
        value = None

    return value

In this updated version, we first check if the col["values"][0] object is a single value cell by checking if it has a value property. If it does, we access the value property. If not, we check if it's a multi-value cell by checking if it has a list property. If it does, we access the list property and extract the values. Finally, we handle other types of cell results by setting the value variable to None.

Conclusion

In conclusion, the error when executing UDM stats search queries with the array_distinct function arises due to the way the get_stats function handles single value and multi-value cell results. By modifying the get_stats function to handle both types of cell results, we can resolve the error and ensure that our UDM stats search queries work as expected.

Example Use Case

Here's an example use case that demonstrates how to use the updated get_stats function:

# Define a sample UDM stats search query
query = {
    "stats": [
        {
            "field": "stringVal",
            "function": "array_distinct"
        }
    ]
}

# Execute the UDM stats search query
result = get_stats(query)

# Print the result
print(result)

Introduction

In our previous article, we explored the issue of encountering an error when executing UDM stats search queries that contain the array_distinct function. We also provided a solution to resolve the error by modifying the get_stats function to handle both single value and multi-value cell results. In this article, we will answer some frequently asked questions related to this issue.

Q: What is the array_distinct function in UDM stats search queries?

A: The array_distinct function is a built-in function in UDM stats search queries that returns a list of unique values from a specified field.

Q: Why do I encounter an error when using the array_distinct function in my UDM stats search query?

A: The error occurs because the get_stats function in the SecOps SDK does not handle multi-value cell results correctly. When the array_distinct function is used, it returns a multi-value cell result, which the get_stats function does not know how to handle.

Q: How do I modify the get_stats function to handle multi-value cell results?

A: To modify the get_stats function to handle multi-value cell results, you need to check the type of the col["values"][i] object and access the value property accordingly. You can do this by checking if the object has a value property or a list property.

Q: What is the difference between single value and multi-value cell results?

A: Single value cell results have a value property, while multi-value cell results have a list property that contains an array of values.

Q: How do I handle other types of cell results in the get_stats function?

A: You can handle other types of cell results by setting the value variable to None or by raising an error.

Q: Can I use the array_distinct function with other functions in my UDM stats search query?

A: Yes, you can use the array_distinct function with other functions in your UDM stats search query. However, you need to make sure that the get_stats function is modified to handle multi-value cell results correctly.

Q: How do I troubleshoot issues with my UDM stats search query?

A: To troubleshoot issues with your UDM stats search query, you can use the get_stats function to print the result of the query and check if it is correct. You can also use the debug function to print the intermediate results of the query.

Q: Can I use the array_distinct function with non-string fields in my UDM stats search query?

A: Yes, you can use the array_distinct function with non-string fields in your UDM stats search query. However, you need to make sure that the field is of a type that can be compared for equality.

Q: How do I optimize my UDM stats search query for performance?

A: To optimize your UDM stats search query for performance, you can use the optimize function to reorder the fields in the query and reduce the number of rows that need to be processed.

Q: Can I use the array_distinct function with multiple fields in my UDM stats search query?

A: Yes, you can use the array_distinct function with multiple fields in your UDM stats search query. However, you need to make sure that the fields are of the same type and that the get_stats function is modified to handle multi-value cell results correctly.

Q: How do I handle errors that occur during the execution of my UDM stats search query?

A: To handle errors that occur during the execution of your UDM stats search query, you can use the try-except block to catch the error and print an error message.

Conclusion

In conclusion, the array_distinct function is a powerful tool in UDM stats search queries that can be used to extract unique values from a specified field. However, it requires careful handling of multi-value cell results to avoid errors. By modifying the get_stats function to handle multi-value cell results correctly, you can use the array_distinct function with confidence in your UDM stats search queries.