Document toolboxDocument toolbox

approximateLabelLookup

Owned by Anthony Shevlin (Deactivated)
Last updated: Dec 01, 2023
2 min read
[ 1 Operator usage in easy mode ] [ 2 Usage details ] [ 3 Example ]

Score an event table by looking at similar events from another event table.

Example:
tableA is a table that has already been processed and scored.
tableB is an event table to be scored.

The two tables have some overlapping content (some similar events) but are not the same

Instead of processing all of tableB, use the scores (or labels) that are already determined for the parts that are similar to tableA. With this method, only the portions of tableB that are not similar to tableA must be processed and scored. It is not necessary to repeat the processing for the similar portions of the tables.

Operator usage in easy mode

  1. Click + on the parent node.

  2. Enter the Approximate Label Lookup operator in the search field and select the operator from the Results to open the operator form.

  3. In the Reference table drop-down, enter or select a reference table.

  4. Click Add More to add the list of field names in the reference table to measure similarity.

  5. In the Ref Label field, enter the label field name in the reference table.

  6. In the Score Table drop-down, enter or select a table to be scored.

  7. Click Add More to add the list of columns in the to-be-labeled table, same order as in the reference field.

  8. Click Run to view the result.

  9. Click Save to add the operator to the playbook.

  10. Click Cancel to discard the operator form.

Usage details

Text

approximateLabelLookup(tableA,listOfColumnsFromTableA, scoreColumn, tableB, listOfColumnsFromTableB)

Input
[tableA](http://google.com): reference (lookup) table
listOfColumnsFromTableA: list of column names from tableA that will be used as a feature to measure similarity.e.g. ["bytes_in","bytes_out"]. Column values should be numeric.
scoreColumn: lookup score or label from tableA
tableB: event table to be scored (approximate label)
listOfColumnsFromTableB: list of column names from tableB that will be used as a feature to measure similarity between tableA and tableB. Ordering of columns names are important, should same order as in listOfColumnsFromTableA

Output
tableB + addition "lhub_lookup_label"

Example

We want to find a score for tableB by looking similar events from tableA, where by "similar" we mean:

tableA.col1 is similar to tableB.col1, and tableA.col2 is similar to tableB.col2 (but not same).

TableA:

id

col1

col2

score

id

col1

col2

score

u1

11

12

1.0

u2

21

22

5.0

u3

31

32

10.0

tableB:

id

col1

col2

id

col1

col2

x1

11

11

x2

20

20

x3

50

50

LQL command

approximateLabelLookup(tableA, ["col1","col2"], "score", tableB, ["col1", "col2"])

Output

id

col1

col2

lhub_lookup_label

id

col1

col2

lhub_lookup_label

x1

11

11

1.0

x2

20

20

5.0

x3

50

50

null

"x3" is not scored, since we didn't find similar event from tableA. "u3" in tableA is closer than others, but it is not within 10% difference range.