Solved: Create a New Field by Summing Two Fields in Google...

prashant_nakum · 02-14-2025 03:20 AM

Hi there,

I am trying to create a new field by summing two existing fields in Google SecOps SIEM but encountering an error. For example, I have the fields source_bytes and response_bytes, and I want to create a new field total_bytes, calculated as: total_bytes = source_bytes + response_bytes

I wrote the query as follows:

metadata.event_type="xyz"
$total_bytes = $source_bytes + $response_bytes
match:
$total_bytes

However, I receive the following error:
> Compilation error validating query: missing type info for placeholder $total_bytes

How can I correctly define a new field by summing two existing fields in Google SecOps?

Any guidance would be appreciated!

Regards,
Prashant Nakum

AymanC

Hi @prashant_nakum,

Does the below help solve your use case?

rule Ayman_C_network_bytes {
  meta:
    author = "Ayman C"

  events:
    $test.principal.hostname = $Host
    $test.metadata.event_type = "NETWORK_CONNECTION"
    $test.network.received_bytes  = $source_bytes
    $test.network.sent_bytes  = $response_bytes

    match:

        $Host over 1h

  outcome:
    $TotalBytes = sum($source_bytes + $response_bytes)
 
  condition:
    $test
    
}

Kind Regards,

Ayman

View solution in original post

AymanC

Hi @prashant_nakum,

Does the below help solve your use case?

rule Ayman_C_network_bytes {
  meta:
    author = "Ayman C"

  events:
    $test.principal.hostname = $Host
    $test.metadata.event_type = "NETWORK_CONNECTION"
    $test.network.received_bytes  = $source_bytes
    $test.network.sent_bytes  = $response_bytes

    match:

        $Host over 1h

  outcome:
    $TotalBytes = sum($source_bytes + $response_bytes)
 
  condition:
    $test
    
}

Kind Regards,

Ayman

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Create a New Field by Summing Two Fields in Google SecOps