Ends with (endswith)
- Juan Tomás Alonso Nieto (Deactivated)
- Former user (Deleted)
- Former user (Deleted)
Description
You can apply this operation either as a Filter or Create field operation:
Filter | Filters string values that end with a specified suffix. |
|---|---|
Create field | Creates a Boolean field that shows true for those strings that end with a specified suffix. |
In both cases, the operation is case sensitive, so make sure the suffix contains lower and uppercase as needed. Otherwise, the results might not be as expected.
How does it work in the search window?
Select Filter / Create field in the search window toolbar, then select the Ends with operation. You need to specify two arguments:
Argument | Data type |
|---|---|
String mandatory | string |
Suffix mandatory | string |
If you use the Create field operation, the data type of the values in the new field is boolean (true or false).
Example
In the siem.logtrust.web.activity table, we want to get only the events with srcHost values ending in 6. To do it, we will apply a Filter using the Ends with operation.
The arguments needed for the filter are:
String - srcHost field
Suffix - Click the pencil icon and enter 6
Click Filter data and you will see the following result:
Click Create field and follow the same steps to add a new Boolean field that shows true when the strings in the srchost field end in 7.
How does it work in LINQ?
Use the operator where... to apply the Filter operation and select... as... to apply the Create column operation. These are the valid formats of the Ends with operation:
endswith(string1, string2_suffix)
Examples
You can copy the following LINQ script and try the above example on the demo.ecommerce.data table:
from demo.ecommerce.data
where endswith(uri, "7")And this is the same example using the Create column operation:
from demo.ecommerce.data
select endswith(uri, "7") as endswith_7