Versions Compared

Old Version 10

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 11

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Expand
titleSubquery from the same table as the main query
Code Block
from demo.ecommerce.data
where statusCode in (
from demo.ecommerce.data 
where statusCode = "404" 
where now()- 5m < eventdate < now()
group every - by statusCode) 
select method, statusCode, eventdate
Image RemovedImage Added
Expand
titleSubquery from a table different than the one in the main query
Code Block
from demo.ecommerce.data
select mmcountry(clientIpAddress) as Country
where not Country in (
from siem.logtrust.web.activity
where now() - 12h < eventdate < now()
group every - by country)
where isnotnull(Country)
select bytesTransferred, timeTaken
Expand
titleSubquery using two columns to filter
Code Block
from siem.logtrust.web.activity 
where (username, domain) in (
from siem.logtrust.web.navigation 
where origin = "redada" 
where now()-2h <eventdate<now() 
group every - by userEmail, domain) 
group every 5m by username, domain 
select count()
Image RemovedImage Added
Expand
titleSubquery that includes more fields than the main query

This example works because the first field in the subquery list (userid) matches the type of the field indicated in the main query.

Code Block
from siem.logtrust.web.activity
where userid in (
from siem.logtrust.web.navigation
where not userid = ""
where now() -1h < eventdate <now()
group every - by userid, domain)
select *
Image RemovedImage Added
Expand
titleSubquery with the column name different than the one of the main query
Code Block
from siem.logtrust.web.activity
where username in (
from siem.logtrust.web.navigation 
where now()-1d <eventdate<now() 
select userEmail) 
select eventdate, username

...

Expand
titleSubquery using a select clause to expose a field
Code Block
from siem.logtrust.web.activity
select ((
from siem.logtrust.web.navigation
group every - by userEmail
select count()) as inner)
select inner[username] as nav
group by username, nav

Expose data from the subquery to the main query

You can correlate specific field values of your subquery with the ones in your main query and show them as a list in a new field.

...