Document toolboxDocument toolbox

Equal (eq, =)

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 13, 2024 by Borja Moro Moreno
2 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

You can apply this operation either as a Filter or Create column operation:

Filter

Compares two values of the same type and returns only the events where the values are exactly the same.

Create column

Compares two values of the same type and creates a Boolean column that shows true when both values are exactly the same.

This operation is case sensitive. Use the Equal - case insensitive (eqic) operation if you need to apply this operation ignoring case.

How does it work in the search window?

Select Filter / Create column in the search window toolbar, then select the Equal operation. You need to specify two arguments:

Argument

Data type

Argument

Data type

Value mandatory

Any

is equal to mandatory

The same data type as the Value argument.

Caution with type conversions as types must match

Be aware that there is no automatic conversion between certain data types (there is from int to str but not from str to int). For those cases, you must use the required operation from the conversion group.

If you use the Create column operation, the data type of the values in the new column is boolean (true or false).

Example

In the siem.logtrust.web.activity table, we want to detect events with status code 200. We will use the Create field operation to add a new Boolean field that shows true when our events have status code 200.

We will enter srcport_42924 as the field name. The arguments needed are:

  • Value - srcport field

  • is equal to - Click the pencil icon and enter 42924

Click Create field.

Click Filter and follow the same steps to filter events with status code 42924.

How does it work in LINQ?

Use the operator where...  to apply the Filter operation and select... as...  to apply the Create column operation. These are the valid formats of the Equal operation:

  • field1 = field2

  • eq(field1, field2)

Examples

You can copy the following LINQ scripts and try some examples:

from siem.logtrust.web.activity select srcPort = 42924 as srcport_42924

Try other examples on the demo.ecommerce.data table.

from demo.ecommerce.data where statusCode = 200

or

from demo.ecommerce.data where eq(statusCode, 200)

And this is the same example using the Create field operation:

or