Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Sarah Bigault

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

Description

You can apply this operation either as a Filter or Create column field operation:

Filter

Filters string values that start with a specified prefix.

Create columnfield

Creates a Boolean column field that shows true for those strings that start with a specified prefix.

Note

In both cases, the operation is case sensitive, so make sure the prefix contains lower and uppercase as needed. Otherwise, the results might not be as expected.

How does it work in the search window?

Select Filter / Create column field in the search window toolbar, then select the Starts with operation. You need to specify two arguments:

Argument

Data type

String mandatory

string

Prefix mandatory

string

If you use the Create columnfield operation, the data type of the values in the new column field is boolean (true or false).

Example

In the demo siem.logtrust.ecommerceweb.dataactivity table, we want to get only the events with cookie header values starting with the letter gxTo do it, we will apply a Filter using the Starts with operation.

The arguments needed for the filter are:

  • String cookie columnheader field

  • Prefix - Click the pencil icon and enter gx

...

Click Filter data and you will see the following result:

...

Click Create column field and follow the same steps to add a new Boolean column field that shows true when the strings in the cookie column header field start with gx.

...

How does it work in LINQ?

Use the operator where...  to apply the Filter operation and select... as...  to apply the Create columnfield operation. These are the valid formats of the Starts with operation:

  • startswith(string1, string2_prefix)

Examples

You can copy the following LINQ script and try the above example on the demosiem.logtrust.ecommerceweb.dataactivity table:

Code Block
from demosiem.logtrust.ecommerceweb.dataactivity
  where startswith(cookieheaders, "gX")

And this is the same example using the Create columnfield operation:

Code Block
from demosiem.logtrust.ecommerceweb.dataactivity
  select startswith(cookie, "g"headers,x) as startswith_gx