| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
...
Filter | Creates a filter that returns only those strings including a specific token, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. |
|---|---|
Create field | Adds a new Boolean column field that shows true when a specific token is present in a given string, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. |
...
Argument | Data type | More information |
|---|---|---|
Value mandatory | string | - |
contains mandatory | string | - |
left extended | boolean | Add this argument if you want to get strings that contain the indicated token with alphanumerical values to the left. For example, if you enter 10 as a token and set the left extended argument to true, you will get strings containing, for example, -10- or .10. but also abc10- or 12310- |
right extended | boolean | Add this argument if you want to get strings that contain the indicated token with alphanumerical values to the right. For example, if you enter 10 as a token and set the right extended argument to true, you will get strings containing, for example, -10- or .10. but also -10abc or -10123 |
If you use the Create columnfield operation, the data type of the values in the new column field is boolean (true or false).
...
In the siem.logtrust.web.activity table, we want to get only the events that include the token languagemozilla in the headers column userAgent field strings (value languagemozilla delimited by ASCII symbols). We want to ignore the case, so tokens including capital letters will be also considered. To do it, we will apply a Filter using the Contains tokens operation.
...
The arguments needed for the filter are:
Value - headers userAgent field
contains - Click the pencil icon and enter language mozilla
...
Click Filter data and you will see the following result. As you can see, events containing the token language mozilla appear, but also Language Mozilla.
...
Click Create field and follow the same steps to add a new Boolean column field that shows true when the conditions explained above are met.
...
How does it work in the search window?
...
Use the Filter on raw field to search for keywords throughout the entire raw data field, instead of filtering by specific field.
...
The LINQ expression will differ as follows (in order of search priority):
...
Use the operator where... to apply the Filter operation and select... as... to apply the Create column field operation. These are the valid formats of the Contains tokens operation:
...
And this is the same example using the Create columnfield operation:
| Code Block |
|---|
from siem.logtrust.web.activity select weaktoktains(headers, "language") as token_language |