selectivelyDeleteFromList

Delete entries from a list.

This operator takes a list and a filter and deletes all the elements that match the filter. The filter may be templated, in which case a parent table needs to be provided and its rows will be used to instantiate the filter.

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Enter the Selectively Delete from List operator in the search field and select the operator from the Results to open the operator form.
  3. In the Name drop-down, enter or select the name of the list.
  4. In the Filter, apply filters to selectively delete the data row from the list using AND or OR operator to delete the data row.
  • Enter or select a column value from the drop-down.
  • Select the operator (=, !=, >, >=, < , <=)
  • Enter the value to delete from the list.
    You can add Rule by clicking on + Rule to delete with conditions.
    You can also create groups by clicking on + Group and repeat from step 4.
  1. Optional. In the Table drop-down, enter or select a table that contains input values to delete from.
    When you select the table names, the Pick Value appears in the filter from which you can select the column values to delete.
  2. Click Run to view the result.
  3. Click Cancel to discard the operator form.
  4. Click Submit to add the operator to the playbook.

Usage Details

selectivelyDeleteFromList(list_name, filter, input_table)

Input Parameters:

list_name: The name of the list. This is a string.

input_table: Name of the input table. The table should not have more than 500 rows.

filter: This is a templatized string for the WHERE clause of an SQL statement. When this SQL clause is evaluated to true for an entry in the list, the entry will be deleted. An example of the filter syntax is this: "ip = '$ip_addr'". Here, the filter specifies that it will get the value from the ip_addr column from the input table and compose a WHERE clause fragment with it. For example ip = '172.217.14.23' for the row of the input table where the column ip_addr has the value '172.217.14.23'. Entries in the list that match any of the WHERE clause will be deleted.

Putting this example in the syntax of the LQL would read like this:

selectivelyDeleteFromList("suspicious_hosts", "ip = '$ip_addr'", newly_whitelisted_ip)

In this example, table newly_whitelisted_ip has the ip_addr column. And we use that value to build the filters. All entries in the list that match those filters will be deleted.