Versions Compared

Old Version 43

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typeflat
printabletrue

...

Select Create field in the search window toolbar, then select the Lookups category, and choose the Lookup (hlut) operation from the dropdown (more info here). You need to specify four arguments (one of them optional):

Argument

Description

Data type

Lookup name mandatory

Choose the lookup you want to use to enrich your table.

string

Lookup field mandatory

Choose the lookup field you want to use to enrich your table.

string

Key mandatory

Choose the table field you want to use to find matches with the lookup key field.

same as lookup key field

Time mandatory

Choose the table timestamp you want to use to correlate with the lookup timestamp. It identifies the value with the highest latest timestamp in the lookup that is before the timestamp in your table.

timestamp

...

Not only keys are correlated to return values but also the timestamps of both lookup and table. The timestamp in your table will be matched with the closest previous lookup timestamp to retrieve its corresponding value when both keys match. Your new table field will display ranges of recurring values according to the time slot they belong to, which corresponds to the intervals between the lookup timestamps.

...

Info

Syntax considerations

  • Status
    title"lookup_name"
    → This must be the name of lookup that contains the data you want to use to enrich your data.

  • Status
    colourPurple
    title"lookup_field"
    → This must be the lookup field you want to use to enrich your data, which must not be the same as the lookup key field.

  • Status
    colourBlue
    titlekey_field
    → This must be the table field that will be used to correlate find matches with the lookup key. The name can be different than the lookup key field as long as the data type coincide and the values it contains are potential matches (username-user). The absence of matches will return null and a different data type will return an error when running the query.

  • Status
    colourGreen
    titletimestamp_field
    → This must be the table timestamp that will be used to correlate with the lookup timestamp. A data type other than timestamp will return an error when running the query.

Example

If you have the following time range lookup, you can enrich your data tableAfter performing the operations you need to manipulate your data, such as filtering and grouping operations, you can use the Lookup (hlut) operation to enrich your data with the following time range lookup:

  • Lookup name: Enrichment

  • Lookup fields: method, username, city (key), eventdate (timestamp)

...

  • )

...

These are the arguments needed when using the interface :

  • Lookup name: Company_offices Enrichment

  • Lookup field: Office_type username

  • Key: city

  • Time: eventdate

This is the syntax needed when using LINQ free-text query:

Code Block
from siem.logtrust.web.activity
where isnotnull(city)
where not isempty(city)
where result = "OK"
group every 1h by city, result,method
region
select hlut("Historical_company_officesEnrichment", "Office_typeusername", city, eventdate)

The table timestamp will be matched with the closest previous lookup timestamp, and the username values in the Office_type lookup field will be brought into our your table when the values in the city field and those in the lookup key field fields match. When they do not match, null will be returned.