Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Given an input string and a list of patterns, find which pattern best matches the input string and the confidence of the match.

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Enter the Pattern Lookup operator in the search field and select the operator from the Results to open the operator form.
  3. In the Event Table drop-down, enter or select the name of the table.
  4. In the Message Column, enter the column name in an eventTable to match the patterns.
  5. In the Pattern Table drop-down, enter or select the table that contains patterns for lookup.
  6. In the Pattern Column drop-down, enter or select the name of the column that contains patterns in a patternTable.
  7. In the Marker Column drop-down, enter or select the column name that contains markers in a patternTable.
  8. In the Name Column drop-down, enter or select a column name that contains 'name' in a patternTable.
  9. In the Pattern Type Column drop-down, enter or select a column name that contains 'patternType' in a patternTable.
  10. In the Threshold field, enter a threshold value.
  11. Click Run to view the result.
  12. Click Save to add the operator to the playbook.
  13. Click Cancel to discard the operator form.

Usage Details

LQL Command

patternLookup(eventTable, column, patternTable, patternCol, markerCol, nameCol, patternTypeCol, threshold)

Input:

eventTable: Event table.
column: Column name in an event table to lookup similar patterns from patternTable.
patternTable: Table containing patterns.
patternCol: Column that contains the pattern
markerCol: Column that contains the custom marker (symbol) that is used in the pattern, if the pattern has a custom regex.
nameCol: Column that has the name for the pattern
patternTypeCol: Column that has the type of the pattern.
threshold: Minimum confidence value for a pattern to be considered a match.

Output:

The table with additional columns: patternName, isExactMatch, matchConfidence, matchPattern, patternValue and isPattern

Example

Input
eventTable(id, col1)

id col1
1Windows shut down due to thermal event
1Emil logged in to the server

patternTable(id, pattern, marker, name, patternType)

id pattern marker name patternType
1$any$ shut down due to thermal event$
1Kumar logged in to the server

LQL command

patternLookup(eventTable, "col1", patternTable, "pattern", "marker", "name", "patternType", 0.7)

Output

patternName isExactMatch matchConfidence matchPattern patternValue isPattern id col1
CompositePatterntrue1.0pattern -- $any$ shut down due to thermal eventpattern -- $any$ shut down due to thermal eventtrue1Windows was shut down due to thermal event
StringPatternfalse0.8620689655172413Kumar logged in to the serverEmil logged in to the servertrue1Emil logged in to the server
  • No labels