Description
This operation returns the values of a given field in a lookup that keeps history upon successful key matching, and optionally upon time correlation.
Existing lookups required
To perform these operations, it is necessary to have existing lookups ready for use (visit this article to get help uploading lookups and this article to get help creating query lookups).
How does it work in the search window?
Select Create field in the search window toolbar, then select the Lookups category, and choose the Lookup (hlut) operation from the dropdown (more info here). You need to specify four arguments:
Argument | Description | Data type |
---|---|---|
Lookup name mandatory | Choose the lookup you want to use to enrich your table. | string |
Lookup field mandatory | Choose the lookup field you want to use to enrich your table. | string |
Key mandatory | Choose the table field you want to use to find matches with the lookup key field. | same as lookup key field |
Time mandatory | Choose the table timestamp you want to use to correlate with the lookup timestamp. It identifies the value with the latest timestamp in the lookup before the timestamp in your table. | timestamp |
Once you specify the adequate arguments and click the Create field button, the new field is added to your table.
Not only keys are correlated to return values but also the timestamps of both lookup and table. The timestamp in your table will be matched with the closest previous lookup timestamp to retrieve its corresponding value when both keys match. Your new table field will display values according to the time slot they belong to, which corresponds to the intervals between the lookup timestamps.
The data type of the values in the new column will be the same as the original field brought from the lookup.
How does it work in LINQ?
Use the create field operator select
... as new_field
and add the operation syntax to create the new column. This is the syntax for the Lookup (hlut) operation:
hlut("Lookup_name", "Lookup_field", Key_field)
hlut("Lookup_name", "Lookup_field", Key_field, Timestamp_field)
The complete syntax with both the create field operator and the operation syntax is:
select hlut("Lookup_name", "Lookup_field", Key_field) as new_field
select hlut("Lookup_name", "Lookup_field", Key_field, Timestamp_field) as new_field
Syntax considerations
"LOOKUP_NAME" → This must be the name of lookup that contains the data you want to use to enrich your data.
"LOOKUP_FIELD" → This must be the lookup field you want to use to enrich your data, which must not be the same as the lookup key field.
KEY_FIELD → This must be the table field that will be used to find matches with the lookup key. The name can be different than the lookup key field as long as the data type coincide and the values it contains are potential matches (username-user). The absence of matches will return null and a different data type will return an error when running the query.
TIMESTAMP_FIELD → This must be the table timestamp that will be used to correlate with the lookup timestamp. A data type other than timestamp will return an error when running the query.
Example
After performing the operations you need to manipulate your data, such as filtering and grouping operations, you can use the Lookup (hlut) operation to enrich your data with the following time range lookup:
Lookup name: Enrichment
Lookup fields: method, username, city (key), eventdate (timestamp)
These are the arguments needed when using the interface :
Lookup name: Enrichment
Lookup field: username
Key: city
Time: eventdate
This is the syntax needed when using LINQ free-text query:
from siem.logtrust.web.activity where isnotnull(city) where not isempty(city) group every 1h by city, method select hlut("Enrichment", "username", city, eventdate)
The table timestamp will be matched with the closest previous lookup timestamp, and the username values in the lookup will be brought into your table when the values in the city fields match. When they do not match, null will be returned.