...
| Info |
|---|
Select/group clauses required To use either of these operators, the query must group events or contain a select clause. |
Inside the query |
|---|
Offset | query offset N
Use this syntax at the end of your query to discard a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be discarded. | Expand |
|---|
| query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 5) → This source query will display all the events in the selected time range except for the 5 oldest events.
 Image Modified |
|
|---|
Limit | query limit N
Use this syntax at the end of your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown. | Expand |
|---|
| query(from siem.logtrust.web.activity select eventdate, method, responseTime limit 5) → This source query will only display the 5 oldest events that arrived in the selected time range.
 Image Modified |
|
|---|
Enclosing the query |
|---|
Take | take((query), N)
Use this syntax enclosing your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown. The result is |
|---|
the same as with similar to that of the limit operator but provides more flexibility and possibilities in terms of query combinations, as it encloses the query without modifying it. | Info |
|---|
Take vs Limit Be aware that the take operator is completely different than the limit operator and has many different implications, being the performance the most relevant. We recommend using the limit operator to reduce the impact in the performance. The take operator is often used in combination with the sort operator as their implications are encompassed in the same context. |
| Expand |
|---|
| take(query(from siem.logtrust.web.activity select eventdate, method, responseTime), 5) → This source query will only display the 5 oldest events that arrived in the selected time range.
 Image Modified |
|
Sort | sort((query), 'columnName', 'ASC'|'DESC')
Use this syntax enclosing your query to sort events in ascending/descending order according to the values of a specific field. If your query groups events, the sorting is performed for each grouping period. | Expand |
|---|
| sort(query(from siem.logtrust.web.activity select method, responseTime), 'responseTime', 'DESC') → This source query will display events in descending order according to the values in the responseTime field.
 Image Modified |
|
|---|
Operator combinations
You can combine the operators mentioned above to get a specific window of events within a time range. However, you must be careful when combining operators as the order matters.
Inside the query |
|---|
Offset & Limit | query offset N limit N
Using offset first will discard certain events to later keep some others from the remaining set. | Expand |
|---|
| query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 2 limit 4) → This query will discard the 2 oldest events to later show the 4 oldest from the remaining set.
 Image Modified |
|
|---|
Limit & Offset | query limit N offset N
Using limit first will keep certain events to later discard some of those that were kept. | Expand |
|---|
| query(from siem.logtrust.web.activity select eventdate, method, responseTime limit 4 offset 2) → This query will keep the 4 oldest events to later discard the 2 oldest of those four.
 Image Modified |
|
|---|
Enclosing the query |
|---|
Take & Sort | sort(take((query), N) 'columnName', 'ASC'|'DESC')
Using take first (the clause closer to the query) will keep certain events to later sort them according to the values of a given field. | Expand |
|---|
| sort(take(query(from siem.logtrust.web.activity select method, responseTime), 5), ‘responseTime', 'DESC') → This query will keep the 5 oldest events (first 5 of the list as the default order is from oldest to newest when there’s no eventdate in the query), which will be then sorted in descending order according to the values of the responseTime field.
 Image Modified |
|
|---|
Sort & Take | take(sort((query) 'columnName', 'ASC'|'DESC'), N)
Using sort first (the clause closer to the query) will sort all events according to the values of a given field to later keep the top events from the ordered set (using take after sort no longer considers the eventdate as criteria to keep events but the ordered set instead). | Expand |
|---|
| take(sort(query(from siem.logtrust.web.activity select method, responseTime), 'responseTime', 'DESC'), 5) → This query will sort all events in descending order according to the values in the responseTime field to later keep the 5 events with the highest values (the top of the list).
 Image Modified |
|
|---|
Inside the query + enclosing the query |
|---|
All operators | take(sort((query limit N offset N) 'columnName', 'ASC'|'DESC'), N)
You can combine all operators to get the window of events as precise as possible. Note that the order of the operators can be switched as explained above with the corresponding result alterations. | Expand |
|---|
| take(sort(query(from siem.logtrust.web.activity select method, responseTime limit 8 offset 2), 'responseTime', 'DESC'), 4) → This query will first keep the 8 oldest events (first 8 of the list) and then discard the 2 oldest of those 8 (first 2 of the resulting list), which will be sorted in descending order using responseTime values, to finally show the top 4 (those with the highest responseTime values).
 Image Modified |
|
|---|
