Starts with (startswith)
Description
You can apply this operation either as a Filter or Create field operation:
Filter | Filters string values that start with a specified prefix. |
---|---|
Create field | Creates a Boolean field that shows true for those strings that start with a specified prefix. |
In both cases, the operation is case sensitive, so make sure the prefix contains lower and uppercase as needed. Otherwise, the results might not be as expected.
How does it work in the search window?
Select Filter / Create field in the search window toolbar, then select the Starts with operation. You need to specify two arguments:
Argument | Data type |
---|---|
String mandatory | string |
Prefix mandatory | string |
If you use the Create field operation, the data type of the values in the new field is boolean (true or false).
Example
In the siem.logtrust.web.activity
table, we want to get only the events with header values starting with the letter x. To do it, we will apply a Filter using the Starts with operation.
The arguments needed for the filter are:
String - header field
Prefix - Click the pencil icon and enter x
Click Filter data and you will see the following result:
Click Create field and follow the same steps to add a new Boolean field that shows true when the strings in the header field start with x.
How does it work in LINQ?
Use the operator where
... to apply the Filter operation and select
... as
... to apply the Create field operation. These are the valid formats of the Starts with operation:
startswith(string1, string2_prefix)
Examples
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity
table:
from siem.logtrust.web.activity
where startswith(headers, "X")
And this is the same example using the Create field operation:
from siem.logtrust.web.activity
select startswith(headers,x) as startswith_x