patternLookup

Given an input string and a list of patterns, find which pattern best matches the input string and the confidence of the match.

Operator usage in easy mode

1. Click + on the parent node.

2. Enter the Pattern Lookup operator in the search field and select the operator from the Results to open the operator form.

3. In the Event Table drop-down, enter or select the name of the table.

4. In the Message Column, enter the column name in an eventTable to match the patterns.

5. In the Pattern Table drop-down, enter or select the table that contains patterns for lookup.

6. In the Pattern Column drop-down, enter or select the name of the column that contains patterns in a patternTable.

7. In the Marker Column drop-down, enter or select the column name that contains markers in a patternTable.

8. In the Name Column drop-down, enter or select a column name that contains 'name' in a patternTable.

9. In the Pattern Type Column drop-down, enter or select a column name that contains 'patternType' in a patternTable.

10. In the Threshold field, enter a threshold value.

11. Click Run to view the result.

12. Click Save to add the operator to the playbook.

13. Click Cancel to discard the operator form.

Usage details

LQL Command

Input:

eventTable: Event table.
column: Column name in an event table to lookup similar patterns from patternTable.
patternTable: Table containing patterns.
patternCol: Column that contains the pattern
markerCol: Column that contains the custom marker (symbol) that is used in the pattern, if the pattern has a custom regex.
nameCol: Column that has the name for the pattern
patternTypeCol: Column that has the type of the pattern.
threshold: Minimum confidence value for a pattern to be considered a match.

Output:

The table with additional columns: patternName, isExactMatch, matchConfidence, matchPattern, patternValue and isPattern

Example

Input
eventTable(id, col1)

patternTable(id, pattern, marker, name, patternType)

LQL command

Output