Step: Query Package

This step allows you to perform queries on the package graph that take actions such as extracting values to store as variables in the package table, creating new connections in the graph, deleting sections of the graph, and asking the graph if a specific connection exists. The Query Package step is the primary method to create package variables that can be used in other steps, like the Send E-mail step.


Operates on a reified package graph

Uses SPARQL Query syntax

  • Query Type: Choose which kind of action the query will be taking. Values are SELECT, CONSTRUCT, UPDATE, ASK
    • What's the difference?

  • Graph(s) to query: Enter the name of one or more graphs. The default graph in the package is called _default_. Separate multiple graph names with a comma.
  • Output Variable: Any results returned by the query will be placed in the package table using the variable name specified.
  • SPARQL Query: Use this space to enter in a SPARQL Query. Line returns, spaces, and tabs are all allowed and stored after saving.

Extract the Event Time

  1. SELECT ?eTime WHERE {
  2. ?id <tag:champtc:core#hasEventTime> ?eTime
  3. } LIMIT 1

Extract the Host Name

  1. SELECT ?hostName WHERE {
  2. ?id <http://www.champtc.com/ontologies/winevent#hasHost> ?hostName
  3. } LIMIT 1

Count How Many Object of a Specific Type are in the Graph

  1. SELECT (COUNT(?s) AS ?poiCount) WHERE {
  2. ?s a <tag:champtc:dlwin#ProcessOfConcern>
  3. }

Connect an Employee Object to the Event

Note: To use this example in a playbook, you would first need to use the Query Database step to pull the Employee object into the graph.

  1. CONSTRUCT {
  2. ?s ?p ?o .
  3. <${trigger}> <tag:champtc:attrib#attributedToEmployee> ?emp
  4. } WHERE {
  5. ?emp a <tag:champtc:enterprise#Employee> .
  6. ?s ?p ?o
  7. }

Connect a Date to the Event

Use this example after retrieving the original date using the JSON Path step and converting the date using the Normalize Date step.

  1. CONSTRUCT {
  2. <${trigger}> <tag:champtc:sample#startDate> "${convertedDate[0]}"^^xsd:dateTime
  3. } WHERE {}