Skip to main content
Version: 6.0

match

info

These innovations work starting from version 5.3.1.

Description

Filters events from the source by field values from an external index. If OUTPUT or OUTPUTNEW is specified, the event will be enriched with the specified fields from the match-index.

The command performs comparison of a specified field in the event and match-index. Wildcard characters * and ? are supported in match-index values — if an entry in the index contains such a pattern, it will be matched against values from events.

Please note!

You should avoid duplicate entries in the match-index for the comparison field. When multiple matching entries exist, the enriched fields in the result will take the form of a multivalue array.

Syntax

...| match <match-index-name> <match-field> [as <source-field>] [match-options] [ OUTPUT | OUTPUTNEW (<match-destfield> [as <event-destfield>] )... ]

Required arguments

ParameterSyntaxDescription
match-index-name<string>Index name for building match.
match-field<string>The name of the field in the match-index for comparison.

Optional arguments match-options

ParameterSyntaxDefaultDescription
packsizepacksize=<int>500Size of data block for processing.
workersworkers=<int>8Number of threads for data processing.
timefieldtimefield=<field>@timestampName of the field storing the timestamp.
earliestearliest=<string>Start timestamp for search.
latestlatest=<string>End timestamp for search.

Other Optional Arguments

ParameterSyntaxDefaultDescription
source-field<string>The name of the field in the event to compare with match-field. Used when the field name in the event and in the match-index do not match.
`OUTPUTOUTPUTNEW``OUTPUTOUTPUTNEW`
match-destfield<string>The name of the field in the match-index whose value is added to the event.
event-destfield<string>The name of the field in the result. Used when you need to save the value from the match-index under a different name. Specified after as in the construct OUTPUT <match-destfield> as <event-destfield>.

Query Examples

The following examples use two indexes.

Event index auth_events:

@timestampuser_loginhost.nameevent.actionevent.outcome
2026-06-24T10:00:00Zadmindc-01logged-insuccess
2026-06-24T10:05:00Zsvc_backupsrv-02logged-insuccess
2026-06-24T10:10:00Zsvc_monitorsrv-03logged-insuccess
2026-06-24T10:15:00Zguestworkstation-05logged-infailure
2026-06-24T10:20:00Zjohn.doeworkstation-12logged-outsuccess
2026-06-24T10:25:00Zunknown_userworkstation-99logged-infailure

Match-index ad_users (user directory):

usernamecategoryrisk_leveldescription
adminadministratorlowSystem administrator
svc_*service_accountmediumService account
guestexternalhighGuest user
john.doeemployeelowHR department employee

Example 1

In this example, match is used as a filter without enrichment. From the event stream, only those events remain where the value of the user_login field matches the username field in the ad_users match-index. The keyword as user_login indicates that the comparable field in the event is called user_login, not username.

source auth_events
| match ad_users username as user_login

User unknown_user is absent in ad_users, so their event is excluded from the result:

@timestampuser_loginhost.nameevent.actionevent.outcome
2026-06-24T10:00:00Zadmindc-01logged-insuccess
2026-06-24T10:05:00Zsvc_backupsrv-02logged-insuccess
2026-06-24T10:10:00Zsvc_monitorsrv-03logged-insuccess
2026-06-24T10:15:00Zguestworkstation-05logged-infailure
2026-06-24T10:20:00Zjohn.doeworkstation-12logged-outsuccess

Example 2

In this example, events are enriched with category, risk_level, and description fields from the match-index. OUTPUT overwrites the values of these fields in the event, even if they are already filled.

source auth_events
| match ad_users username as user_login OUTPUT category, risk_level, description
@timestampuser_loginhost.nameevent.actionevent.outcomecategoryrisk_leveldescription
2026-06-24T10:00:00Zadmindc-01logged-insuccessadministratorlowSystem administrator
2026-06-24T10:05:00Zsvc_backupsrv-02logged-insuccessservice_accountmediumService account
2026-06-24T10:10:00Zsvc_monitorsrv-03logged-insuccessservice_accountmediumService account
2026-06-24T10:15:00Zguestworkstation-05logged-infailureexternalhighGuest user
2026-06-24T10:20:00Zjohn.doeworkstation-12logged-outsuccessemployeelowHR department employee

Example 3

In this example, OUTPUTNEW is used — fields are added only if they are absent in the event. Unlike OUTPUT, already filled values are not overwritten. Suppose that in auth_events the user admin already has the field category filled with the value sysadmin:

@timestampuser_loginhost.namecategory
2026-06-24T10:00:00Zadmindc-01sysadmin
2026-06-24T10:05:00Zsvc_backupsrv-02
source auth_events
| match ad_users username as user_login OUTPUTNEW category, risk_level

For admin, the field category retains the original value sysadmin. For svc_backup, whose field is empty, the value will be added from the match-index:

@timestampuser_loginhost.namecategoryrisk_level
2026-06-24T10:00:00Zadmindc-01sysadminlow
2026-06-24T10:05:00Zsvc_backupsrv-02service_accountmedium

Example 4

In this example, the work of wildcard patterns in the match-index is demonstrated. The entry svc_* in the username field of the ad_users index is matched against all values starting with svc_. Events of users svc_backup and svc_monitor receive the category field from this entry.

source auth_events
| search user_login="svc_*"
| match ad_users username as user_login OUTPUT category
@timestampuser_loginhost.nameevent.actionevent.outcomecategory
2026-06-24T10:05:00Zsvc_backupsrv-02logged-insuccessservice_account
2026-06-24T10:10:00Zsvc_monitorsrv-03logged-insuccessservice_account

Example 5

In this example, performance parameters packsize and workers are used, as well as renaming the resulting field through as. The category field from the match-index is saved in the event under the name user_category.

source auth_events
| match ad_users username as user_login packsize=1000 workers=4 OUTPUT category as user_category, risk_level

Example 6

In this example, parameters earliest and latest limit the time range of records in the match-index that participate in matching. This is useful when the match-index contains versioned data — for example, a user directory that is updated over time, and you need to match events only with records that were actual for a specific period.

source auth_events
| match ad_users username as user_login earliest="2026-06-24T00:00:00Z" latest="2026-06-26T00:00:00Z" OUTPUT category
@timestampuser_loginhost.nameevent.actionevent.outcomecategory
2026-06-24T10:00:00Zadmindc-01logged-insuccessadministrator
2026-06-24T10:05:00Zsvc_backupsrv-02logged-insuccessservice_account
2026-06-24T10:10:00Zsvc_monitorsrv-03logged-insuccessservice_account
2026-06-24T10:15:00Zguestworkstation-05logged-infailureexternal
2026-06-24T10:20:00Zjohn.doeworkstation-12logged-outsuccessemployee
2026-06-24T10:35:00Zoleg.ivanovworkstation-100logged-insuccessemployee
2026-06-24T10:45:00Zivan.ivanovworkstation-101logged-infailureemployee