How can I perform a match\where on part of string? I’m tying myself in knots with regex and I’m sure there’s something simple that actually works!
For example: I have a field called data.desc that contains string like ‘match to abc found: abc’ or ‘match to abc found: acd’. What I want to do is return all the events where abc is found after the : (i.e. return the first example and not the second). This regex obtains the data from the : onwards :.*$ but I can’t work out how to apply that to compare the result of that to abc.
The data is from a brand-protection system that looks for domains being registered, updated etc that are similar to ours but, because some of our domains are simply three characters long, it picks up all variations. For example abd.com, kbc.com, fab.com would all match abc.com and create an event log, so what i’m trying to do is create a search where the discovered domain only contains an match to the three characters abc anywhere in the section after the :
I’ll then use this search to generate alerts to prioritise investigations rather than go through lists of domains that are less likely to be relevant.
Well, I couldn’t get your example to work, but while staring at it I had a thought and I think I thought this was more complicated than it actually is:
This simple solution seems to work: where(“custom_data.desc” = /.*found:.abc./)