Limit the events of a widget query

[ 1 Operators ] [ 2 Operator combinations ]

Operators

You can limit the query events represented in a widget and sort them using the following operations:

Select/group clauses required

To use either of these operators, the query must group events or contain a select clause.

Inside the query

Inside the query
Offset	`query offset N` Use this syntax at the end of your query to discard a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be discarded. `query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 5)` → This source query will display all the events in the selected time range except for the 5 oldest events.
Limit	`query limit N` Use this syntax at the end of your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown. `query(from siem.logtrust.web.activity select eventdate, method, responseTime limit 5)` → This source query will only display the 5 oldest events that arrived in the selected time range.
Enclosing the query
Take	`take((query), N)` Use this syntax enclosing your query to show only a number of the oldest events (or the first events of the list when a no-time grouping is used). If there aren't enough events available, all events will be shown. The result is similar to that of the limit operator but provides more flexibility and possibilities in terms of query combinations, as it encloses the query without modifying it. Take vs Limit Be aware that the take operator is completely different than the limit operator and has many different implications, being the performance the most relevant. We recommend using the limit operator to reduce the impact in the performance. The take operator is often used in combination with the sort operator as their implications are encompassed in the same context. `take(query(from siem.logtrust.web.activity select eventdate, method, responseTime), 5)` → This source query will only display the 5 oldest events that arrived in the selected time range.
Sort	`sort((query), 'columnName', 'ASC'\|'DESC')` Use this syntax enclosing your query to sort events in ascending/descending order according to the values of a specific field. If your query groups events, the sorting is performed for each grouping period. `sort(query(from siem.logtrust.web.activity select method, responseTime), 'responseTime', 'DESC')` → This source query will display events in descending order according to the values in the responseTime field.

Operator combinations

You can combine the operators mentioned above to get a specific window of events within a time range. However, you must be careful when combining operators as the order matters.

Inside the query

Inside the query
Offset & Limit	`query offset N limit N` Using offset first will discard certain events to later keep some others from the remaining set. `query(from siem.logtrust.web.activity select eventdate, method, responseTime offset 2 limit 4)` → This query will discard the 2 oldest events to later show the 4 oldest from the remaining set.
Limit & Offset	`query limit N offset N` Using limit first will keep certain events to later discard some of those that were kept.
Enclosing the query
Take & Sort	`sort(take((query), N) 'columnName', 'ASC'\|'DESC')` Using take first (the clause closer to the query) will keep certain events to later sort them according to the values of a given field.
Sort & Take	`take(sort((query) 'columnName', 'ASC'\|'DESC'), N)` Using sort first (the clause closer to the query) will sort all events according to the values of a given field to later keep the top events from the ordered set (using take after sort no longer considers the eventdate as criteria to keep events but the ordered set instead).
Inside the query + enclosing the query
All operators	`take(sort((query limit N offset N) 'columnName', 'ASC'\|'DESC'), N)` You can combine all operators to get the window of events as precise as possible. Note that the order of the operators can be switched as explained above with the corresponding result alterations.