I currently have a search that kinda works for what I need but it returns a lot of false positives.
Example:
Say I have a lookup table file that contains the string "ed" as an entry. Currently when I run the query I get hits on every string that contains "ed" like fred, red, bed, education, etc...
What I would like to do is be able to specify that I only get a hit on an exact match and exclude straings that only contain the string I'm searching for.
Current search:
*[| inputlookup MY_LOOKUP_FILE.csv | rename COLUMN_HEADER as search | fields search | format] | eval rawText= _raw | eval hit=[| inputlookup MY_LOOKUP_FILE.csv | stats values(COLUMN_HEADER) as query | eval query=mvjoin(query,",") | fields query | eval query = "".query.""] | eval hit=split(hit,",") | mvexpand hit | eval hit=lower(hit) | eval rawText=lower(rawText) | where like(rawText,"%"+hit+"%") | TABLE _time,hit,rawText
Any ideas?
Thanks.
Do you have a named field? You can use that for an exact match quite easily.
This example, lets call it approach A does an exact match on path:
host=my_host path=/somepath/ | timechart span=1m count by path
This while this example, lets call it approach B uses '/somepath/' as a word to do a partial match
host=my_host /somepath/ | timechart span=1m count by path
Given logs with the following entries for path:
/somepath/
/somepath/hello
/somepath/world
Approach A will only match /somepath/ while approach B will match all three
What delimits the strings you're searching for? If it's a fixed character like comma or space, put it in your like() clause - '... | where like(rawtext,"% "+hit+" %") | ...
'. You may need to use multiple like() clauses if the delimiter varies (... | where like(rawtext,"% "+hit+" %") OR like(rawtext,"%,"+hit+",%") | ...
).
I've tried that with no results.
I've also tried to use
...| where make(rawtext, hit) |... and I get the same results with the false positives.