Document toolboxDocument toolbox

Glob pattern on names (nameglob)

Description

This operation identifies a correctly formatted string as a namepattern - a required input for the Any name matches (anymatches) operation. This is the only use for this operation.

Used together, these operations are used to filter the tables column after running a global search. Read more about this in the Any name matches (anymatches) article.

About glob name patterns

Glob name patterns use asterisks as wildcards to allow you to identify any table whose name matches a pattern. The accepted syntax for glob patterns in Devo include:

  • siem.*.*.* - table names with four levels where the first is "siem"

  • siem.** - table names with any number of levels where the first is "siem"

  • **.all.** - table names containing "all" as a name level at any level in the name

  • **.*ss*.** - table names containing "ss" within a name level at any level in the name

You can see that a single asterisk is a wildcard for part of or a whole level of a table name, while two asterisks represent any number of levels. You must include "." in the glob pattern to guide the search.

How does it work in the search window?

This operation is applied transparently when used in the search window. That is to say, when you set up the Any name matches operation, the second argument, matches, (and any subsequent arguments) is accepted as a namepattern.

How does it work in LINQ?

The nameglob operation is only used as part of the Any name matches (anymatches) operation. Therefore, the valid use of nameglob as part of the Any name matches operation is as follows:

anymatches(setname_field, nameglob(string))

Note that the only setname_field that exists in any data table is the tables field in the all.data table (global search results).

Examples

Run a global search for the token "logtrust". The all.data table opens in the search window.

Now open the Query Editor and edit the query by adding the last line below:

from all.data where toktains(message, "logtrust") where anymatches(tables, nameglob("siem.**"))

Run the edited query. The filter is applied so that only events where the tables column contains a table name starting with siem. are displayed.