LinkedIn
Twitter
If you need to examine a string and find a pattern in it for your searches or rules, we've got you covered. Perhaps you don't want to build a regular expression and just want to return a true or false that the pattern exists and move on with your day. That's what we will cover today in this video with two functions!
The first function is strings.contains. If we a pattern match anywhere within the string, a boolean value of true is returned, if it isn’t, false is returned. The syntax requires two arguments, the field or variable being observed, followed by the pattern that is being matched, which should be enclosed in double quotes.
The second function is quite similar to strings.contains, the only difference is that strings.starts_with matches a pattern from the start of the field rather than anywhere within the field. Syntactically, it's the same.
Both functions can be used in searches or rules to narrow a dataset by placing it in the filtering statement of a search or in the events section of a rule, much like the function re.regex. It can also be used in the outcome section.
Also, it’s a good idea to leverage the functions strings.to_lower or strings.to_upper to handle fields and values where there may be case sensitivity concerns.
Follow along in the video to see how we can apply these functions to our searches and rules.
The functions strings.contains and strings.starts_with provide the ability to match against a pattern either at the start of a field or variable or anywhere within it. Either way, the function will provide a boolean output.
Just remember that it's a wise idea to convert the case of the pattern to all upper or lower to ensure pattern matching in fields where values could be in mixed case. Finally, if we use these functions in the outcome section where aggregation is occurring, we may need to also apply an aggregation function, like max, count, array_distinct.
Check out these additional resources with more information and learning opportunities: