approximateLabelLookup
Score table based on similar events from another table
Score an event table by looking at similar events from another event table.
Example:
tableA is a table that has already been processed and scored.
tableB is an event table to be scored.
The two tables have some overlapping content (some similar events) but are not the same
Instead of processing all of tableB, use the scores (or labels) that are already determined for the parts that are similar to tableA. With this method, only the portions of tableB that are not similar to tableA must be processed and scored. It is not necessary to repeat the processing for the similar portions of the tables.
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Approximate Label Lookup operator in the search field and select the operator from the Results to open the operator form.
- In the Reference table drop-down, enter or select a reference table.
- Click Add More to add the list of field names in the reference table to measure similarity.
- In the Ref Label field, enter the label field name in the reference table.
- In the Score Table drop-down, enter or select a table to be scored.
- Click Add More to add the list of columns in the to-be-labeled table, same order as in the reference field.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
approximateLabelLookup(tableA,listOfColumnsFromTableA, scoreColumn, tableB, listOfColumnsFromTableB)
Input
[tableA](http://google.com): reference (lookup) table
listOfColumnsFromTableA: list of column names from tableA that will be used as a feature to measure similarity.e.g. ["bytes_in","bytes_out"]. Column values should be numeric.
scoreColumn: lookup score or label from tableA
tableB: event table to be scored (approximate label)
listOfColumnsFromTableB: list of column names from tableB that will be used as a feature to measure similarity between tableA and tableB. Ordering of columns names are important, should same order as in listOfColumnsFromTableA
Output
tableB + addition "lhub_lookup_label"
Example
We want to find a score for tableB by looking similar events from tableA, where by "similar" we mean:
tableA.col1 is similar to tableB.col1, and tableA.col2 is similar to tableB.col2 (but not same).
TableA
| id | col1 | col2 | score |
|---|---|---|---|
| u1 | 11 | 12 | 1.0 |
| u2 | 21 | 22 | 5.0 |
| u3 | 31 | 32 | 10.0 |
tableB:
| id | col1 | col2 |
|---|---|---|
| x1 | 11 | 11 |
| x2 | 20 | 20 |
| x3 | 50 | 50 |
approximateLabelLookup(tableA, ["col1","col2"], "score", tableB, ["col1", "col2"])
Output
| id | col1 | col2 | lhub_lookup_label |
|---|---|---|---|
| x1 | 11 | 11 | 1.0 |
| x2 | 20 | 20 | 5.0 |
| x3 | 50 | 50 | null |
"x3" is not scored, since we didn't find similar event from tableA. "u3" in tableA is closer than others, but it is not within 10% difference range.
Updated about 1 year ago