Using Functions in SmartLabels

Overview of Functions in SmartLabels #

To provide additional flexibility in SmartLabels, Lucidum provides functions that allow you to manipulate ingested data before including that data in a SmartLabel.

For example, you can concatenate ingested data, apply a regular expression to ingested data, and perform mathematical actions like addition, division, subtraction, and multiplication on ingested data.

Lucidum includes the following functions for SmartLabels:

The Add function add a field value or a number to another field value or number.

This function applies to SmartLabels and fields of type Float and type Integer.

NOTE: For details about the fields in Lucidum and the data type for each field, see see the chapter on Fields and Regular Expressions.

For example, suppose we want to calculate the sum of an upcoming increase in monthly cost of each virtual machine. We could use the Add function to do this.

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Increased server cost“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Integer.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Calculate the total increase in monthly cost for windows server“

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all assets that are running one of the Windows Servers operating system.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Find all Windows Servers and calculate monthly cost + $50“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Add.

    • Input fields. We clicked the plus-sign icon (+) and selected Field and then selected the field Monthly Cost (US Dollar). Note that only fields of type Integer or type Float appear as enabled.

    • Input Fields. We clicked the plus-sign icon (+) and selected the Number and then entered 50.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets running a Windows Server operating system), find the Monthly Cost value for the asset and add $50.

12. We could create a chart showing the increased cost for each virtual machine and the sum of the increased costs for virtual machines.

Average #

The Average function calculates the average from a list of values.

This function applies to SmartLabels and fields of type List. The output value is of type Float.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to calculate the average CVSS score for each asset. We could use the Average function to do this. But first, we need to create a list of CVSS scores (instead of the nested list that the scores appear in).

Create a List of CVSS Scores #

First we would create a SmartLabel called CVSS Score List, where we extract the CVSS scores from the field Vulnerabilities::CVSS Score.

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears.

   

3. First we would create a SmartLabel called CVSS Score List, where we extract the CVSS scores from the field Vulnerabilities::CVSS Score. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “CVSS Score List“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose List.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Extract a list of CVSS Scores for an asset“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all assets where the field Vulnerabilities::CVSS Score exists.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We accepted the default.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Assets where Vulnerabilities::CVSS Score exists.”.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Extract Value with Regular Expression. This function retrieves values from a field that contains an array (a set of name:value pairs). When a column value matches the specified regular expression, Lucidum retrieves the value of another related column in that record. The field Vulnerabilities::CVSS is part of an array.

    • Field. We selected Vulnerabilities.

    • Column to Filter On. We select CVE. This tells Lucidum to search for CVE data inside the Vulnerabilities array, instead of EPSS data, KEV data, or Lucidum Verified Risk data.

    • Regular Expression. We entered “.*”. This regular expression says “find all CVE names in the CVE column.

    • Column to Return. We specified CVSS Score. This tells Lucidum to return the CVSS scores for each CVE that matches the regular expression.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets running that have the field Vulnerabilities::CVSS Score), find all the CVE records and then extract the CVSS score from each record. The SmartLabel CVSS Score List will store a list of CVSS scores for assets that match the query.

Calculate Average CVSS Score #

To calculate the Average CVSS Score, using the Average function:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears.

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “CVSS Score Average“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Float.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Calculate Average CVSS Score for an asset“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all assets where the field CVSS Score List exists. CVSS Score List is the SmartLabel we created in the previous section. This SmartLabel creates a list of CVSS Scores for an asset.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We accepted the default.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Assets where CVSS Score List.”.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Average.

    • Field. We selected CVSS Score List. This is the SmartLabel we created in the previous section. This SmartLabel creates a list of CVSS Scores for an asset.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets running that have the field CVSS Score List), calculate the average CVSS Score.

Concatenate #

The Concatenate function creates a new string by joining field values and text.

This function applies to SmartLabels and fields of type String or List. The output value is of type String.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to display how Lucidum enriches and normalizes data about operating systems. We could use the Concatenate function create a string that shows the original, raw OS name and version and the Lucidum normalized OS and version. To do this:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Operating System: Raw vs. Normalized“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose String.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Calculate the total increase in monthly cost for windows server“

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that include the Lucidum OS Version and the raw OS and Version from a data source.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Concatenate raw OS value with Normalized OS value and provide descriptors“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Concatenate.

    • Default String for Null Value. In Lucidum, if a field does not return a value, Lucidum stores the value as “null” and does not display a value in the UI. In this field, you can enter a string value to display for null values. We entered “null”.

    • Input fields. We clicked the plus-sign icon (+) and selected String and then entered “Raw OS value from data source:”.

    • Input Fields. We clicked the plus-sign icon (+) and selected the Field and then selected OS and Version. Note that only fields of type String appear as enabled.

    • Input fields. We clicked the plus-sign icon (+) and selected String and then entered “> Lucidum normalized OS:”.

    • Input Fields. We clicked the plus-sign icon (+) and selected the Field and then selected Lucidum OS and Version. Note that only fields of type String appear as enabled.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets records with entries for Lucidum OS Version (enriched value) and OS and Version (raw value)), and create a single string “Raw OS value from data source: [OS and Version] > Lucidum normalized OS: [Lucidum OS Version]”.

Convert to Date Time #

By default, Lucidum stores the raw, ingested timestamps from data sources as strings. The Convert to Date Time function converts those strings to standard Date Time format.

NOTE: Lucidum automatically converts the standard field, Last Logon Time, to date time format. The Convert to Date Time function is for converting raw data to Date Time format.

The inputs for this function are SmartLabels and fields of type String. The output is of type Date Time.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to choose the value of Last Logon Time to use instead of using the standard Lucidum value. We could say that we want to use the value of Last Logon Time returned by Oracle Cloud. We could create a SmartLabel that uses the Extract function to retrieve the value of Last Logon Value from the unprocessed data ingested by the Oracle Cloud connector.

However, to send this value to third-party systems (like SIEMS) and to display this value in the Lucidum UI, we must convert the extracted string to a value in Date Time format.

We can use the Convert to Date Time function to do this.

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Customizable Last Logon Time in Date Time Format“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Date Time.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose User.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Converts the extracted Last Logon Time from the SmartLabel “Customizable Last Logon Time in String Format“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that include the SmartLabel Customizable Last Logon Time in String Format. This is a SmartLabel that extracts the raw value for Last Logon Time from a specified Connector. In our example, we extracted the value of Last Logon Time from Oracle Cloud.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “User can specify Data Source3 to use for Last Logon Time.”.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Convert to Date Time.

    • Field. We selected the SmartLabel Customizable Last Logon Time in String Format.

11. This SmartLabel specifies: For each asset record that includes a value for the SmartLabel Customizable Last Logon Time in String Format, convert the value to Date Time format and store the value in the SmartLabel Customizable Last Logon Time in Date Time Format.

Count #

The Count function provides a count of values for a Lucidum field.

This function applies to SmartLabels and fields of type Integer.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want a count of MAC addresses on each asset so we can determine which assets have more than one NIC. To see the total number of MAC address per asset, we could create the following SmartLabel, using the Count function.

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “MAC Address Count“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Integer.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Count the number of MAC addresses on assets so that we can filter on those with more than one NIC“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that include a MAC Address.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Count MAC Addresses“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Count.

    • Input Fields. We clicked the plus-sign icon (+) and selected the Field and then selected MAC Address. Note that only fields of type Integer appear enabled.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets records with entries for MAC Address), provide a count of the number of MAC Addresses per asset.

Divide #

The Divide function divides an integer or float field or a specified value by a specified value or by another field.

This function applies to SmartLabels and fields of type Integer or Float.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to display the daily cost for virtual machines. We could divide the field Monthly Cost (US Dollars) by 30.  To do this:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Daily  Cost of  VMs“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Float.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Divide the Monthly Cost of VMs by 30“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that include a value for Monthly Cost.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Assets with Monthly Cost“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Count.

    • Input Fields. We clicked the plus-sign icon (+) and selected Field and then selected Monthly Cost (US Dollars). Note that only fields of type Integer or Float appear enabled.

    • Input Fields. We clicked the plus-sign icon (+) and selected Number and then entered 30.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets records with entries for Monthly Cost), divide the monthly cost by 30 to derive a daily cost.

Extract #

The Extract function retrieves values from a field that contains an array of key:value pairs.

This function applies to SmartLabels and fields of type List. The input is a List. The output is a String.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, we could search the Extra Values field for each asset and use the Extract function to extract the VPC CIDR subnet value. To do this:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “VPC Subnet CIDR Block“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose String.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Extract all AWS VPC subnets“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that included the array field Extra Data and in that array has the Key (similar to a column name) subnet_cidrblock.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Extract VPC subnet CIDR block“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Extract Value.

    • Field. We selected Extra Data. Note that only fields of type List appear enabled.

    • Column to Filter On. We selected Key. We will search this column for the value in Match String.

    • Match String. We selected subnet_cidrblock. We will search the Key column for the value subnet_cidrblock.

    • Column to Return. We selected Value. For each row where the Key column includes the value subnet_cidrblock, we want to extract the value of the column Value. This value will be the CIDR subnet.

11. This SmartLabel specifies: For each asset record returned by the query (find all asset records that contain the Extra Data field and the Key column contains subnet_cidrblock), extract and return the value of the Value column (the CIDR subnet address).

Extract Value from List with Regular Expression #

The Extract Value from List with Regular Expression function examines a List field and extracts entries that match a specified regular expression.

This function applies to SmartLabels and fields of type List. The input is a List. The output is a String.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to find all assets with an IP address that starts with “192”. We could create the following SmartLabel:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. In the My SmartLabels tab, click the Add icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Extract all the IPs that start with 192“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose String.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Extract Value from List with Regular Expression“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that include the field Lucidum Asset Name.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “All Lucidum Assets“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Extract Value from List with Regular Expressions.

    • Field. We selected IP Address . Note that only fields of type List appear enabled.

    • Regular Expression. You can enter a text string or any regular expression supported by PCRE2. We entered ^192*. This means “find any string that starts with 192”.

11. This SmartLabel specifies: For each asset record returned by the query (all asset records that contain the Lucidum Asset Name field), search the IP Address field for IP addresses that start with “192”.

12. The SmartLabel Extract all the IPs that start with 192 will not appear as a field in all assets that include an IP address that starts with 192. To easily find these assets, you can use the Query Tool to search for assets where the SmartLabel Extract all the IPs that start with 192 exists.

Extract Value with Regular Expression #

The Extract Value with Regular Expression function retrieves values from a field that contains an array (a set of name:value pairs). When a column value matches the specified regular expression, Lucidum retrieves the value of another column in the record.

This function applies to SmartLabels and fields of type String. The input is a Nested List (String). The output is a String.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to choose the OS and Version value to use instead of using the standard Lucidum value. We could say that we want to use the value of OS and version returned by (in priority order) :

1. Crowdstrike
2. VMware
3. Active Directory

We could search the Data Source Details field for each asset, search the column Data Sources for those that match a regular expression (for example, “Crowdstrike Host”), and extract the value of the OS and Version column. To do this:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. In the My SmartLabels tab, click the Add icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Best OS“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose String.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Select and prioritize the OS values from different data sources“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that included the array field Data Source Details and in that array has the column name Data Sources. In the column Data Sources, we searched for the regular expression “Crowdstrike Host”. If an asset matches all these parameters, the function extracts the value of the OS and Version column and stores the value in the SmartLabel Best OS.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “OS from Crowdstrike (top priority)“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Extract Value with Regular Expressions.

    • Field. We selected Data Source Details. Note that only fields of type Nested List (String) appear enabled.

    • Column to Filter On. We selected Data Sources. We will search this column for the value in Regular Expression.

    • Regular Expression. You can enter a text string or any regular expression supported by PCRE2. We entered Crowdstrike Host.

    • Column to Return. We selected OS and Version. For each row where the Data Sources column includes “Crowdstrike Host”, we want to extract the value of the column OS and Version. For the asset, the SmartLabel Best OS will contain the value of OS and Version.

11. This SmartLabel specifies: For each asset record returned by the query (find all asset records that contain the Data Source Details field and the Data Sources column contains “Crowdstrike Host”, extract and return the value of the OS and Version. The asset record will include the SmartLabel Best OS. The value of Best OS will be the extracted value from OS and Version.

12. Repeat steps 4-11, substituting VMware Host (priority 2) where you previously entered Crowdstrike Host.

13. Repeat steps 4-11, substituting Active Directory Computer (priority 3) where you previously entered Crowdstrike Host.

14. The SmartLabel will now populate the SmartLabel Best OS with either the OS and Version value from Crowdstrike (first priority), VMware (second priority), or Active Directory (third priority).

Max #

The Max function finds the maximum value from a list of values.

This function applies to SmartLabels and fields of type List. The output value is of type Float.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to calculate the maximum CVSS score for each asset. We could use the Max function to do this. But first, we need to create a list of CVSS scores (instead of the nested list that the scores appear in). For details, see Create a List of CVSS Scores.

To calculate the Maximum CVSS Score, using the Max function:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears.

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “CVSS Score Maximum “.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Float.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Calculate Max CVSS Score for an asset“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all assets where the field CVSS Score List exists. CVSS Score List is the SmartLabel we created in the previous section. This SmartLabel creates a list of CVSS Scores for an asset.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We accepted the default.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Assets where CVSS Score List.”.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Max .

    • Field. We selected CVSS Score List. This is the SmartLabel we created in the previous section. This SmartLabel creates a list of CVSS Scores for an asset.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets running that have the field CVSS Score List), finds the maximum CVSS Score.

Min #

The Min function finds the minimum value from a list of values.

This function applies to SmartLabels and fields of type List. The output value is of type Float.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to calculate the minimum CVSS score for each asset. We could use the Min function to do this. But first, we need to create a list of CVSS scores (instead of the nested list that the scores appear in). For details, see Create a List of CVSS Scores.

To calculate the Minimum CVSS Score, using the Min function:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears.

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “CVSS Score Minimum “.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Float.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Calculate Min CVSS Score for an asset“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all assets where the field CVSS Score List exists. CVSS Score List is the SmartLabel we created in the previous section. This SmartLabel creates a list of CVSS Scores for an asset.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We accepted the default.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Assets where CVSS Score List.”.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Min .

    • Field. We selected CVSS Score List. This is the SmartLabel we created in the previous section. This SmartLabel creates a list of CVSS Scores for an asset.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets running that have the field CVSS Score List), finds the minimum CVSS Score.

Multiply #

The Multiply field nultiplies field by another field or by  an integer value or float value.

This function applies to SmartLabels and fields of type Integer or Float.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, supposed we want to multiply the value of Data Risk by five if that data is stored on assets in the Legal department, because that data is most sensitive. To do this:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Data Risk Adjusted“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Integer.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Adjust the data risk value according to department“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records where the Department field has the value Legal.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Multiple legal data risk by 5“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Multiply.

    • Input Fields. We clicked the plus-sign icon (+) and selected Field and then selected Data Risk. Note that only fields of type Integer or type Float appear enabled.

    • Input Fields. We clicked the plus-sign icon (+) and selected Number and then entered 5.

11. This SmartLabel specifies: For each asset record returned by the query (find all asset records where the Department field has a value of Legal), multiply the value of Data Risk by 5.

Regular Expression #

The Regular Expression function uses pcre2 regular expressions to find a match within a field.

NOTE: For details on pcre2 regular expression syntax, see https://www.pcre.org/current/doc/html/pcre2syntax.html

This function applies to SmartLabels and fields of type String.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to retrieve the host name for an asset from its FQDN. To do this with the Regex function:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Extract Host Name from FQDN“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose String.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Validate regex extraction of a subpattern from Latest Asset Name string field“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records where the Latest Asset Name field matches word.word.word. A word is any combination of letters a-z and numbers 0-9. For example , if the FQDN is db1.mycompany.com., “db1”, “mycompany”, and “com” are all considered words (combination of letters a-z and numbers 0-9)

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Multiple legal data risk by 5“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Regular Expression.

    • Field. We selected the field Latest Asset Name. Note that only fields of type String appear enabled.

    • Regular Expression. We entered (\w+). This regular expression says “match any number of word characters (alphabet characters and 0-9 numbers) until you come to the first non-word character”. So this regular expression will find the hostname, the first word in a FQDN.

11. This SmartLabel specifies: For each asset returned by the query (asset record that includes a FQDN in the field Latest Asset Name ), retrieve the first word (the hostname) from the FQDN.

Split #

The Split function splits the value of a list field immediately after the delimiter. If the delimiter occurs multiple times, the split occurs multiple times also. The Split function creates a new list.

This function applies to SmartLabels and fields of type String and its output is a List.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to split email addresses so we can find a count of users per email domain. To do this with the Split function:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Email Domain“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose List.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose User.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Split the email address into user and domain“.

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all user records that include a value in the Email field.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Split the email address into user and domain“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Split.

    • Field. We select the field Email. We will split the value in this field. Note that only fields of type List appear enabled.

    • Delimter. We entered “@” (ampersand). The Split function will create a list with two entries: the user name, and the domain. For example, for [email protected], we could get a list with two entries: john.doc, company.com.

11. This SmartLabel specifies: For each user record returned by the query (user record includes a value in the Email field), split the value into two values, one to the left of the @ symbol and one to the right of the @ value.

12. We can then query all user records where the value of the field Email Domain matches one of the following: \.com$,\.net$\.edu$,\.gov$\.io$,\.ai$. We could sort the results by Lucidum User Name. We could then create a pie chart that displays number of users per email domain:

    

Substring #

The Substring function extracts a value from a string field. You must know the the number of characters you want to extract.

This function applies to SmartLabels and fields of type String.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we want to shorten department names to fit in Lucidum charts and to send to an external system that limits department names to three characters. We can use the Substring function to shorten department names. To do this:

1. Navigate to the SmartLabel Management page (Left menu> SmartLabel Management).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

   In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Shorten Department Name“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose String.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Shorten department name to first 3 characters“.

3. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

4. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

5. In this query, we searched for all asset records that include a value in the Department field.

   NOTE: For details on creating a query, see the chapter on Building Queries.

6. In the Build a Query page, click Apply (paper-and-pencil icon).

7. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Dept Exists“.

8. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

9. In the Configure SmartLabel Result Function page, we entered the following:

   • Function. We selected Substring.

   • Field. We select the field Department. We will extract a substring from the value in this field. Note that only fields of type String appear enabled.

   • Start Index. We entered “0” (zero). The Substring function labels the position of the first letter of a string as “0” (zero). For example, the positions for the first three characters would be 0, 1, 2.

   • Number of Characters. We entered 3 (three).

10. This SmartLabel specifies: For each asset returned by the query (asset record includes a value in the Department field)), retrieve the first three characters of the department name.

Subtract #

The Subtract function subtracts a field value or a number from another field value or number.

This function applies to SmartLabels and fields of type Float and type Integer.

NOTE: For details about the fields in Lucidum and the data type for each field, see the chapter on Fields and Regular Expressions.

For example, suppose we are considering changing providers and we want to see how much money we would save by reducing the monthly cost of each virtual machine by $20. To do this with the Subtract function:

1. Navigate to the SmartLabel Management page (Left menu > SmartLabels icon).

2. Click the Add SmartLabel icon (plus-sign) in the upper right. The Add SmartLabel page appears:

   

3. In the Add SmartLabel page, we entered the following in the top pane:

   • Name. Name of the SmartLabel. We entered “Decreased server cost“.

   • Label Type. Specifies the data type for the output of the SmartLabel. We chose Integer.

   • Data Type. Specifies that Lucidum object type for the SmartLabel. Choices are Asset or User. We chose Asset.

   • MetaBlock. Select one or more MetaBlocks to align with to this SmartLabel. For details on MetaBlocks, see Creating and Managing MetaBlocks.
   • Description. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Business Value. After saving the SmartLabel, Lucidum uses the Luci LLM to populate this field automatically. You cannot edit the value in this field.
   • Author Comments. Notes from the creator of the SmartLabel. We entered “Calculate decreased cost per VM“

4. In the Configured Rules pane, we clicked the Add Rule  icon (plus sign) to add a rule. A rule can be a query or a tag or another SmartLabel.

5. The Build a Query page appears. In this page, you can create a query, select an existing SmartLabel, or select an existing Tag.

   

6. In this query, we searched for all asset records that include a value in the Monthly Cost field.

   NOTE: For details on creating a query, see the chapter on Building Queries.

7. In the Build a Query page, click Apply (paper-and-pencil icon).

8. In the Configured Rules pane, we entered values in the following fields:

   • Priority. Specifies the order in which rules are applied. We specified 1.

   • Rule Description. Click in this field and enter a description for the rule. We entered “Assets with a monthly cost“.

9. In the Actions column, we clicked the sigma (∑). The Configure SmartLabel Result Function page appears.

   

10. In the Configure SmartLabel Result Function page, we entered the following:

    • Function. We selected Subtract.

    • Input fields. We clicked the plus-sign icon (+) and selected Field and then selected the field Monthly Cost (US Dollar). Note that only fields of type Integer or type Float appear enabled.

    • Input Fields. We clicked the plus-sign icon (+) and selected the Number and then entered 20.

11. This SmartLabel specifies: For each asset record returned by the query (find all assets records where Monthly Cost includes a value), find the Monthly Cost value for the asset and subtract $20.
12. We could query the value of Decreased server cost to create a chart showing the decreased cost for each virtual machine and the sum of the decreased costs for virtual machines.