Given an input string and a list of patterns, find which pattern best matches the input string and the confidence of the match.
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Pattern Lookup operator in the search field and select the operator from the Results to open the operator form.
- In the Event Table drop-down, enter or select the name of the table.
- In the Message Column, enter the column name in an eventTable to match the patterns.
- In the Pattern Table drop-down, enter or select the table that contains patterns for lookup.
- In the Pattern Column drop-down, enter or select the name of the column that contains patterns in a patternTable.
- In the Marker Column drop-down, enter or select the column name that contains markers in a patternTable.
- In the Name Column drop-down, enter or select a column name that contains 'name' in a patternTable.
- In the Pattern Type Column drop-down, enter or select a column name that contains 'patternType' in a patternTable.
- In the Threshold field, enter a threshold value.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
LQL Command
patternLookup(eventTable, column, patternTable, patternCol, markerCol, nameCol, patternTypeCol, threshold)
Input:
eventTable
: Event table.
column
: Column name in an event table to lookup similar patterns from patternTable
.
patternTable
: Table containing patterns.
patternCol
: Column that contains the pattern
markerCol
: Column that contains the custom marker (symbol) that is used in the pattern, if the pattern has a custom regex.
nameCol
: Column that has the name for the pattern
patternTypeCol
: Column that has the type of the pattern.
threshold
: Minimum confidence value for a pattern to be considered a match.
Output:
The table with additional columns: patternName
, isExactMatch
, matchConfidence
, matchPattern
, patternValue
and isPattern
Example
Input
eventTable(id, col1)
id | col1 |
---|---|
1 | Windows shut down due to thermal event |
1 | Emil logged in to the server |
patternTable(id, pattern, marker, name, patternType)
id | pattern | marker | name | patternType |
---|---|---|---|---|
1 | $any$ shut down due to thermal event | $ | ||
1 | Kumar logged in to the server |
LQL command
patternLookup(eventTable, "col1", patternTable, "pattern", "marker", "name", "patternType", 0.7)
Output
patternName | isExactMatch | matchConfidence | matchPattern | patternValue | isPattern | id | col1 |
---|---|---|---|---|---|---|---|
CompositePattern | true | 1.0 | pattern -- $any$ shut down due to thermal event | pattern -- $any$ shut down due to thermal event | true | 1 | Windows was shut down due to thermal event |
StringPattern | false | 0.8620689655172413 | Kumar logged in to the server | Emil logged in to the server | true | 1 | Emil logged in to the server |