Versions Compared

Old Version 25

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Inside the query

Offset

query offset N

Use this syntax at the end of your query to discard a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be discarded.

Expand
titleExample

query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 5) → This source query will display all the events in the selected time range except for the 5 oldest events.

Limit

query limit N

Use this syntax at the end of your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown.

Expand
titleExample

query(from siem.logtrust.web.activity select eventdate, method, responseTime limit 5) → This source query will only display the 5 oldest events that arrived in the selected time range.

Enclosing the query

Take

take((query), N)

Use this syntax enclosing your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown.

The result is similar to that of the limit operator but provides more flexibility and possibilities in terms of query combinations, as it encloses the query without modifying it.

Info

Take vs Limit

Be aware that the take operator is completely different than the limit operator and has many different implications, being the performance the most relevant. We recommend using the limit operator to reduce the impact in the performance.

The take operator is often used in combination with the sort operator as their implications are encompassed in the same context.

Expand
titleExample

take(query(from siem.logtrust.web.activity select eventdate, method, responseTime), 5) → This source query will only display the 5 oldest events that arrived in the selected time range.

Sort

sort((query), 'columnName', 'ASC'|'DESC')

Use this syntax enclosing your query to sort events in ascending/descending order according to the values of a specific field. If your query groups events, the sorting is performed for each grouping period.

Expand
titleExample

sort(query(from siem.logtrust.web.activity select method, responseTime), 'responseTime', 'DESC') → This source query will display events in descending order according to the values in the responseTime field.

...