Document toolboxDocument toolbox

Matches (matches, ~)

Description

You can apply this operation either as a Filter or Create column operation:

Filter

Returns string values that match a specified regular expression.

Create field

Adds a new Boolean field that shows true when a string matches an indicated regular expression.

How does it work in the search window?

Select Filter / Create field in the search window toolbar, then select the Matches operation. You need to specify two arguments:

Argument

Data type

Argument

Data type

String to be matched mandatory

string

Regular expression mandatory

regexp

If you use the Create field operation, the data type of the values in the new field is boolean (true or false).

Example

In the siem.logtrust.web.activity table, we want to get only the events where the sessionid value starts with n and ends with 5, no matter the number of characters in between. To do it, we will apply a Filter using the Matches operation.

The arguments needed for the filter are:

  • String to be matched - sessionid column

  • Regular expression - Click the pencil icon and enter n.5

Click Filter data and you will see the following result:

Click Create column and follow the same steps to add a new Boolean column that shows true when the strings in the cookie column start with g and ends with q.

How does it work in LINQ?

Use the operator where...  to apply the Filter operation and select... as...  to apply the Create column operation. These are the valid formats of the Matches operation:

  • string ~ re(string)

  • string ~ regexp

  • matches(string, re(string))

  • matches(string, regexp)

When you use the Matches operation in a LINQ query, you must use the Regular expression, regexp operation to transform the string value entered to regexp format. To do it, add the re() syntax as in the above examples.

When you apply this operation in the search window interface, Devo automatically transforms your string value to regexp data type, so you don't need to do anything.

Examples

You can copy the following LINQ scripts and try the above example on the demo.ecommerce.data table:

from demo.ecommerce.data where cookie ~ re("g.q")

or

from demo.ecommerce.data where matches(cookie, re("g.q"))

And this is the same example using the Create column operation:

from demo.ecommerce.data select cookie ~ re("g.q") as cookie_gq

or