Query by Context Table

You can search inside any field and compare the values to values in up to two context tables. For example, you might want to search the logs for events involving vendors that match to any vendor listed in one or two specific context tables. You can search for those values in any single column from each context table. If you don't specify a column, the search defaults to looking for values in the key column of the context table.

Note

See Context Tables in Search for more information, including rules and limitations.

Examples of valid query syntax:

fieldName IN "nameofcontexttable"."nameofcolumn
fieldName IN "nameofcontexttable"
fieldName IN "nameofcontexttable1"."nameofcolumn" AND fieldName IN "nameofcontexttable2"."nameofcolumnintable2"
fieldName IN "nameofcontexttable1" AND fieldName IN "nameofcontexttable2"
fieldName : "value" AND fieldName IN "nameofcontexttable"."nameofcolumn"
fieldName : "value" AND fieldName IN "nameofcontexttable1" AND fieldName IN "nameofcontexttable2"."nameofcolumnintable2"
(fieldName1 : "value1" OR fieldName2 : "value2") AND fieldName IN "nameofcontexttable"."nameofcolumn"
(fieldName1 : "value1" OR fieldName2 : "value2) AND (fieldName3: "value3" OR fieldName4 : "value4) AND fieldName IN "nameofcontexttable"."nameofcolumn"
(fieldName1 : "value1" OR fieldName2 : "value2") AND (fieldName3 : "value3" OR fieldName4 : "value4") AND NOT fieldName IN :nameofcontexttable"."nameofcolumn"
(fieldName1 : "value1" OR fieldName2 : "value2") AND NOT (fieldName3 : "value3" OR fieldName4 : "value4") AND fieldName IN "nameofcontexttable"."nameofcolumn"

Examples of invalid query syntax:

(fieldName1 : "example1" AND fieldName2 : "example2") OR fieldName IN "nameofcontexttable"."nameofcolumn"
Note
The OR operator is not allowed with a context table.

Exabeam SearchExabeam Search Guide

Table of ContentsTable of Contents