patternLookup
Find a matching pattern
Given an input string and a list of patterns, find which pattern best matches the input string and the confidence of the match.
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Pattern Lookup operator in the search field and select the operator from the Results to open the operator form.
- In the Event Table drop-down, enter or select the name of the table.
- In the Message Column, enter the column name in an eventTable to match the patterns.
- In the Pattern Table drop-down, enter or select the table that contains patterns for lookup.
- In the Pattern Column drop-down, enter or select the name of the column that contains patterns in a patternTable.
- In the Marker Column drop-down, enter or select the column name that contains markers in a patternTable.
- In the Name Column drop-down, enter or select a column name that contains 'name' in a patternTable.
- In the Pattern Type Column drop-down, enter or select a column name that contains 'patternType' in a patternTable.
- In the Threshold field, enter a threshold value.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
patternLookup(eventTable, column, patternTable, patternCol, markerCol, nameCol, patternTypeCol, threshold)
Input:
eventTable: Event table.
column: Column name in an event table to lookup similar patterns from patternTable.
patternTable: Table containing patterns.
patternCol: Column that contains the pattern
markerCol: Column that contains the custom marker (symbol) that is used in the pattern, if the pattern has a custom regex.
nameCol: Column that has the name for the pattern
patternTypeCol: Column that has the type of the pattern.
threshold: Minimum confidence value for a pattern to be considered a match.
Output:
The table with additional columns: patternName, isExactMatch, matchConfidence, matchPattern, patternValue and isPattern
Example
Input
eventTable(id, col1)
| id | col1 |
|---|---|
| 1 | Windows shut down due to thermal event |
| 1 | Emil logged in to the server |
patternTable(id, pattern, marker, name, patternType)
| id | pattern | marker | name | patternType |
|---|---|---|---|---|
| 1 | $any$ shut down due to thermal event | $ | ||
| 1 | Kumar logged in to the server |
patternLookup(eventTable, "col1", patternTable, "pattern", "marker", "name", "patternType", 0.7)
Output
| patternName | isExactMatch | matchConfidence | matchPattern | patternValue | isPattern | id | col1 |
|---|---|---|---|---|---|---|---|
| CompositePattern | true | 1.0 | pattern -- $any$ shut down due to thermal event | pattern -- $any$ shut down due to thermal event | true | 1 | Windows was shut down due to thermal event |
| StringPattern | false | 0.8620689655172413 | Kumar logged in to the server | Emil logged in to the server | true | 1 | Emil logged in to the server |
Updated about 2 years ago