Contains tokens - case insensitive (weaktoktains)
Description
You can apply this operation either as a Filter or Create column operation:
Filter | Creates a filter that returns only those strings including a specific token, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. |
---|---|
Create column | Adds a new Boolean column that shows true when a specific token is present in a given string, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. |
Use the Contains tokens (toktains) operation if you need to discriminate between uppercase and lowercase letters.
What is a token?
A token is simply a unit of data composed of alphanumeric characters separated by ASCII symbols. Devo also recognizes as a token any value assigned the ip or ip6 data format. Therefore, not only will Devo identify 10.0.1.2 and aa:bb:cc:dd as tokens, but also their component parts, 10, 0, 1, 2, aa, bb, cc, and dd because these component parts are delimited by ASCII symbols (the periods and colons).
Learn more in How Devo indexes data.
How does it work in the search window?
Select Filter / Create column in the search window toolbar, then select the Contains tokens - case insensitive operation. This operation requires at least two arguments (Value and contains). Optionally, you can add the right extended and left extended arguments to expand the length of the token.
Argument | Data type | More information |
---|---|---|
Value mandatory | string | Â |
contains mandatory | string | Â |
left extended | boolean | Add this argument if you want to get strings that contain the indicated token with alphanumerical values to the left. For example, if you enter 10 as a token and set the left extended argument to true, you will get strings containing, for example, -10- or .10. but also abc10- or 12310- |
right extended | boolean | Add this argument if you want to get strings that contain the indicated token with alphanumerical values to the right. For example, if you enter 10 as a token and set the right extended argument to true, you will get strings containing, for example, -10- or .10. but also -10abc or -10123 |
If you use the Create column operation, the data type of the values in the new column is boolean (true or false).
Example
In the siem.logtrust.web.activity
table, we want to get only the events that include the token language in the headers column strings (value language delimited by ASCII symbols). We want to ignore case, so tokens including capital letters will be also considered. To do it, we will apply a Filter using the Contains tokens operation.
The arguments needed for the filter are:
Value - headers column
contains - Click the pencil icon and enter language
Click Filter data and you will see the following result. As you can see, events containing the token language appear, but also Language.
Click Create column and follow the same steps to add a new Boolean column that shows true when the conditions explained above are met.
How does it work in LINQ?
Use the operator where
... to apply the Filter operation and select
... as
... to apply the Create column operation. These are the valid formats of the Contains tokens operation:
weaktoktains(string1, string2)
weaktoktains(string1, string2, boolean_left)
weaktoktains(string1, string2, boolean_left, boolean_right)
Examples
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity
 table:
from siem.logtrust.web.activity
where weaktoktains(headers, "language")
And this is the same example using the Create column operation:
from siem.logtrust.web.activity
select weaktoktains(headers, "language") as token_language