Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Current »

Operators

You can limit the query events represented in a widget and sort them using the following operations:

Select/group clauses required

To use either of these operators, the query must group events or contain a select clause.

Inside the query

Offset

query offset N

Use this syntax at the end of your query to discard a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be discarded.

 Example

query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 5) → This source query will display all the events in the selected time range except for the 5 oldest events.

Limit

query limit N

Use this syntax at the end of your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown.

 Example

query(from siem.logtrust.web.activity select eventdate, method, responseTime limit 5) → This source query will only display the 5 oldest events that arrived in the selected time range.

Enclosing the query

Take

take((query), N)

Use this syntax enclosing your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown.

The result is similar to that of the limit operator but provides more flexibility and possibilities in terms of query combinations, as it encloses the query without modifying it.

Take vs Limit

Be aware that the take operator is completely different than the limit operator and has many different implications, being the performance the most relevant. We recommend using the limit operator to reduce the impact in the performance.

The take operator is often used in combination with the sort operator as their implications are encompassed in the same context.

 Example

take(query(from siem.logtrust.web.activity select eventdate, method, responseTime), 5) → This source query will only display the 5 oldest events that arrived in the selected time range.

Sort

sort((query), 'columnName', 'ASC'|'DESC')

Use this syntax enclosing your query to sort events in ascending/descending order according to the values of a specific field. If your query groups events, the sorting is performed for each grouping period.

 Example

sort(query(from siem.logtrust.web.activity select method, responseTime), 'responseTime', 'DESC') → This source query will display events in descending order according to the values in the responseTime field.

Operator combinations

You can combine the operators mentioned above to get a specific window of events within a time range. However, you must be careful when combining operators as the order matters.

Inside the query

Offset & Limit

query offset N limit N

Using offset first will discard certain events to later keep some others from the remaining set.

 Example

query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 2 limit 4) → This query will discard the 2 oldest events to later show the 4 oldest from the remaining set.

Limit & Offset

query limit N offset N

Using limit first will keep certain events to later discard some of those that were kept.

 Example

query(from siem.logtrust.web.activity select eventdate, method, responseTime limit 4 offset 2) → This query will keep the 4 oldest events to later discard the 2 oldest of those four.

Enclosing the query

Take & Sort

sort(take((query), N) 'columnName', 'ASC'|'DESC')

Using take first (the clause closer to the query) will keep certain events to later sort them according to the values of a given field.

 Example

sort(take(query(from siem.logtrust.web.activity select method, responseTime), 5), ‘responseTime', 'DESC') → This query will keep the 5 oldest events (first 5 of the list as the default order is from oldest to newest when there’s no eventdate in the query), which will be then sorted in descending order according to the values of the responseTime field.

Sort & Take

take(sort((query) 'columnName', 'ASC'|'DESC'), N)

Using sort first (the clause closer to the query) will sort all events according to the values of a given field to later keep the top events from the ordered set (using take after sort no longer considers the eventdate as criteria to keep events but the ordered set instead).

 Example

take(sort(query(from siem.logtrust.web.activity select method, responseTime), 'responseTime', 'DESC'), 5) → This query will sort all events in descending order according to the values in the responseTime field to later keep the 5 events with the highest values (the top of the list).

Inside the query + enclosing the query

All operators

take(sort((query limit N offset N) 'columnName', 'ASC'|'DESC'), N)

You can combine all operators to get the window of events as precise as possible. Note that the order of the operators can be switched as explained above with the corresponding result alterations.

 Example

take(sort(query(from siem.logtrust.web.activity select method, responseTime limit 8 offset 2), 'responseTime', 'DESC'), 4) → This query will first keep the 8 oldest events (first 8 of the list) and then discard the 2 oldest of those 8 (first 2 of the resulting list), which will be sorted in descending order using responseTime values, to finally show the top 4 (those with the highest responseTime values).

  • No labels