Lists are collections of values that can be used as criteria in search query to filter search results. For example, you can search all logs generated from the Sales team by creating a list SALES_USER with a username of all sales members and using the query user in SALES_USER in Search.
SALES_USER List¶
Logpoint supports Static List and Dynamic List.
Static List is a collection of pre-defined values that doesn’t change unless you add or remove values from it.
For example, you can create a list IP_BLACKLIST and add all the blacklisted IPs in it. You can check for logs from the blocked IP Address using the query device_ip in IP_BLACKLIST in Search.
Sorting Columns¶
To display the age limit or last updated columns, click MORE >> Columns and select Age Limit(in minute) or Last Updated.
Filtering Columns¶
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
Select Lists.
Viewing Lists¶
Click ADD.
Select Static List.
Enter a Name.
Enter List of Values. Ensure no tab characters (t) are included in the values, as they are not supported in Logpoint search and will prevent results from being displayed. You can also select the Vendor provided lists from the Also Include From Vendor table.
Adding a static list¶
Click Submit.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
Click the Name of the list to edit.
Update the information.
Click Submit.
Dynamic List stores the values that can be updated using the toList process command. For example, to list all the users in Logpoint, create a dynamic list USERS and execute the toList process command to add values in the List. To execute the process command to update the list values whenever new users log into the system.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
Select Lists.
Viewing Lists¶
Click ADD.
Select Dynamic List.
Enter Name and Age Limit. It is the time after which the data from the table is deleted. To keep the data forever, set the age limit to 0.
Adding a dynamic list¶
Click Submit.
The List added above is initially empty. You can use the toList process command to add field values from the search result into the list.
Syntax:
| process toList (list_name, field_name)
This process command takes two arguments: list name and field name. It prompts an error message if you provide more than two arguments or an incorrect list name.
Warning
If data privacy is enabled, you cannot use the toList commands with encrypted fields unless you have full access to them.
Example:
device_ip=* | process toList(device_ip_list, device_ip)
The above query adds the values of device_ip from the search result to the list device_ip_list.
Adding values in the dynamic list¶
If you execute the same process command with a different field name, it adds the values of the field to the existing list.
For example, if you execute the query device_ip=* | process toList(device_ip_list, device_ip), then execute device_ip=* | process toList(device_ip_list, device_name), device_name is added in the list device_ip_list.
Adding values in the dynamic list¶
In a dynamic list with an Age Limit, each item inherits the list’s expiry time. For example, if the list’s expiry time is set to 3 hours, any item added to the list will automatically expire after 3 hours. If an item is updated, its expiry time resets and the item will expire 3 hours after the last update.
In contrast, a list without an Age Limit considers all items as permanent, giving them an expiry time of 0. To delete these items, you must set an Age Limit for the list and then update the item. Once the item exceeds the new expiry time, it will be removed.
Select the list and click EXPORT.
Save the exported package.
Click IMPORT and select PAK file.
Importing a list¶
Browse to the .pak file.
Click Submit.
Imported dynamic list does not include Lists and Last Updated.
The imported CSV/TXT should contain only list values. Values in CSV and TXT file must be separated by a comma (,) and (/n) respectively.
Click Import and select CSV/TXT.
Importing a list from CSV/TXT¶
Enter a Name for the list.
Click Browse.
Browse to the .csv or .txt file.
Click Submit.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
Click the Delete (
) icon under Actions.
To delete multiple lists, select the lists, click MORE and choose Delete Selected.
To delete all the lists, click MORE and choose Delete All.
Deleting Lists¶
Click Yes.
Tables are a placeholders for storing data, which can then be used to enrich logs. You can create a table, add data using the process command and then use that data to enrich logs.
The data in the table can be updated dynamically using toTable process command through search or scheduled intervals in alerts and dashboard so table is also referred as dynamic table.
Go to Settings >> Knowledge Base from the navigation bar and click Lists and Tables.
Select Tables.
Viewing Tables¶
Click ADD.
Enter a Name.
Enter the Age Limit. It is the time after which the data from the table is deleted. To keep the data forever, set the age limit to 0.
Adding a table¶
Click Save.
The added tables are also displayed as Enrichment Sources. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources to view the tables.
The table added above is initially empty. You can use the toTable process command to add field values from the search result into the table.
Syntax:
| process toTable (table_name, field_name1, field_name2,...., field_name9)
The process command takes a table name and field names as arguments. You can enter a maximum of 9 fields. If you enter more than 9 fields or an incorrect table name, you will get an error message. The fields log_ts, col_ts, sig_id, msg, and col_type are not supported.
Warning
If data privacy is enabled, you cannot use the toTable commands with encrypted fields unless you have full access to them.
Example:
device_ip=* | process toTable(device_ip_table, device_name, device_ip, action)
When you run the above query for the first time, two columns device_name and device_ip are added into table device_ip_table and data is added from the search result. Afterwards, running the same query only adds the search result values into the table, it does not update the column.
When you execute the dynamic table command, it updates the table with only the number of rows specified as the pagination value. The table adds the number of rows defined in pagination. The pagination value can be changed from Page Size Configuration.
For command with chart count(), the table is updated with 40 rows. You can change this number by adding limit in the query. For example,
device_ip = * | chart count() by device_ip limit 200 | process toTable(device_ip_table, device_name, device_ip)
Everytime you update the table, you must pass same number of arguments you passed when you first executed the process command. You can also set alerts and dashboards that run in scheduled intervals to update the table.
You can view the table data by clicking View Table Data (
) icon under the Actions column. It redirects you to Logpoint Search with the prefilled query Table DEVICE_IP_TABLE. You can also view the table directly from the Search page using the same query.
Viewing the table data¶
In a dynamic table with an Age Limit, each row inherits the table’s expiry time. For example, if the table’s expiry time is set to 3 hours, any row added to the table will automatically expire 3 hours after being added. If a row is updated, its expiry time resets and the row will expire 3 hours after the last update.
In contrast, a table without an Age Limit considers all rows as permanent, giving them an expiry time of 0. To delete these items, you must set an Age Limit for the table and then update the row. Once the row exceeds the new expiry time, it will be removed.