In LogPoint, you can maintain a collection of values as a List. You can use the list to search for logs associated with the values in it. For example, if you create a list named ACTIONS_LIST having the values of the field action, you can use the query action in ACTIONS_LIST in the search bar to view all the logs containing the actions defined in the list.
You can also use the list to correlate the values in dashboard, reports, and alerts.
LogPoint supports two kinds of lists: Static List and Dynamic List.
Static List is the collection of pre-defined values. You can use the static list to search those values efficiently.
For example, if you need to store a list of blocked IP addresses, you can define a list named IP_BLACKLIST and populate it with the blacklisted IPs. Whenever you need to check if there is a blocked IP Address, you can use the syntax device_ip in IP_BLACKLIST.
This list remains unchanged until you add or remove the list items.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
The page enlists the existing lists and tables. You can select either the list or the table option from the drop-down menu.
Click Add.
Adding a list¶
Select Static List.
Provide the Name and List of Values. You can also select the Vendor provided lists from the Also Include From Vendor table.
Adding a static list¶
Click Submit.
Dynamic List is a list that collects specific values from the events during the runtime and stores them for a limited or an unlimited period. Unlike the static list, the values in the dynamic list are not pre-defined. You must use the toList process command to define the values from the search result. You can also use the process command to update an existing dynamic list through search or scheduled intervals in alerts and dashboards. It reduces the time of manual entries in a list.
For example, if you want to maintain a list of all the users in a system, you can create a dynamic list USERS and execute the toList process command to populate the list. Whenever new users log into the system, you can execute the process command to update the list values.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
The page enlists the existing lists and tables. You can select either the list or the table option from the drop-down menu.
Click Add.
Adding a list¶
Select Dynamic List.
Provide Name and Age Limit. Age Limit is the expiration time for the values in the list, i.e., the values expire after the time specified in the Age Limit.
Adding a dynamic list¶
Note
The age limit must be at least 30 or 0 minutes. If you do not want the values to expire, set the age limit as 0.
Click Submit.
The toList process command populates the dynamic list with the field values of the search result.
Syntax:
| process toList (list_name, field_name)
Note
This process command takes two arguments: the list name and the field name. It prompts an error message if you provide more than two arguments or an incorrect list name.
Example:
device_ip=* | process toList(device_ip_list, device_ip)
The above example populates the dynamic list device_ip_list with the values of the field device_ip from the search result.
Defining values in the dynamic list¶
If you execute the same process command with a different field name, it adds the values of the field to the existing values in the list.
For example, if you execute the query device_ip=* | process toList(device_ip_list, device_ip), then execute device_ip=* | process toList(device_ip_list, device_name), the process command adds the values of device_name to the values present in the list device_ip_list.
Adding values in the dynamic list¶
Select the list you want to export.
Click the Export icon.
Exporting a list¶
Save the exported package.
Click the Import icon.
Browse for the list package file.
Importing a list¶
Click Upload.
Note
After you import a dynamic list, it behaves like a newly created list as the values of the Lists and Last Updated fields are not retained.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
Click the Delete icon under the Actions column for the list.
A delete confirmation dialog box appears on the screen. Click Yes to proceed.
Tables are used to store the data that you can use to enrich the logs. You can search the data stored in the table using a search query.
For example, if you create a table named “USERS”, you can use the query Table “USERS” in the search bar to view the data of the table.
A Dynamic table stores the specified field and field values during the runtime for a limited or an unlimited period. You must use the toTable process command to define the values from the search result in the dynamic table. You can update the dynamic table by executing the toTable process command through search or scheduled intervals in alerts and dashboards.
The application adds the dynamic table as an enrichment source. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources to view the dynamic table. You can use it in the enrichment policy as other enrichment sources. Refer to the Enrichment Policies section for more details.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
The page enlists the existing lists and tables.
Select the Tables option from the drop-down.
Selecting Table option from drop-down¶
Click Add to open the Table panel.
Provide Name and Age Limit. Age Limit is the expiration time for the values in the table, i.e., the values expire after the time specified in the Age Limit.
Adding a dynamic table¶
Note
The age limit must be at least 30 or 0 minutes. If you do not want the values to expire, set the age limit as 0.
Click Save.
The toTable process command populates the dynamic table with the fields and field values of the search result.
Syntax:
| process toTable (table_name, field_name1, field_name2,...., field_name9)
Note
This process command takes a table name and 1-9 field names as arguments. It prompts an error message if you provide more than ten arguments or an incorrect table name.
The toTable process command does not support the fields log_ts, col_ts, sig_id, msg, and col_type.
The dynamic table defines its column names based on the field names passed in the toTable process command.
Example:
device_ip=* | process toTable(device_ip_table, device_name, device_ip, action)
The above example defines two columns- device_name and device_ip for the dynamic table device_ip_table and populates the table with their values from the search result.
Click the View Table Data icon under the Actions column of the dynamic table to view the values of the table. You can also view the table data by executing the query Table “DEVICE_IP_TABLE” in the search bar.
View Table Data icon of the dynamic table¶
Viewing the values of the dynamic table¶
Note
If you want to update the table, make sure to pass the same number of arguments with the same data type in the toTable process command as before.
If you pass different field names of same data type, make sure the order of the data type is the same as before.
Warning
In the data privacy enabled system, the toList and toTable process commands process the encrypted fields only if you have the full access to the data privacy fields, i.e., if the granting user grants access to view all the values of all the data privacy fields.