Using the match()
Function
The match()
provides a basic join from a query into
a lookup file that contains completion information. The most common
use-case for this method of joining data to lookup reference
information. For example, matching to list of known security issues,
attack vectors, or network types. For example, uploaded a version of the
port number for different network services, the query:
port=*
| groupBy([port,type],function=[])
| match("services.csv",field=port)
Matches the port number against known protocols:
port | type | baseproto | protocol |
---|---|---|---|
22 | authentication | tcp | ssh |
25 | tcp | smtp | |
443 | install | tcp | https |
443 | weblog | tcp | https |
80 | weblog | tcp | http |
Updating Lookup Files
A common use case for the match()
is to combine
with an automation to create a lookup table that is then used with the
query.
For example, in the diagram below, an alert is used to generate results that are uploaded using the upload file action:
The use case operates as follows:
An alert identifies when new protocol types have been updated.
When the alert runs, it generates an output list, the data is uploaded as a file using the Upload File action.
A dashboard query executes that uses the uploaded file to match against protocol information.
Using this method enables a join between a regularly executed query and a dataset. The two datasets could be across different repositories or the same.