| select sys_eventTime,sys_body from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03'
|
use LogLogic_Appliance |columns sys_eventTime, sys_body | sys_eventTime between '2016-02-02' and '2016-02-03'
|
Displays results from the LogLogic_Appliance data model where the records have the timestamp between '2014-02-02' and '2014-02-03'.
|
| select * from LogLogic_Appliance where sys_body like '%Authentication%' and sys_eventTime between '2016-02-02' and '2016-02-03'
|
use LogLogic_Appliance | sys_body contains "Authentication" | sys_eventTime between '2016-02-02' and '2016-02-03'
|
Displays results from the LogLogic_Appliance data model with "Authentication" in the event body.
|
| select * from LogLogic_Appliance where sys_body like '%logon%' and sys_eventTime between '2016-02-02' and '2016-02-03' limit 10
|
use LogLogic_Appliance | sys_body like '%logon%' | limit 10 | sys_eventTime between '2016-02-02' and '2016-02-03'
|
Demonstrates an example of a 'like' statement to display a limit of 10 results.
|
| select * from LogLogic_Appliance where sys_eventKey REGEXP '[az0-9|]*' and sys_eventTime in -10y limit 10
|
use LogLogic_Appliance | sys_eventKey REGEXP '[a-z0-9|]*' | sys_eventTime in -10y | limit 10
|
Demonstrates an example of the REGEXP expression matching.
|
| select * from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03' order by sys_eventTime DESC
|
use LogLogic_Appliance | sys_eventTime between '2016-02-02' and '2016-02-03' | sort by sys_eventTime DESC
|
Displays events sorted by time for records having timestamp for the specified dates in descending order.
|
| select * from LogLogic_Appliance where sys_eventTime between
'2016-02-02' and '2016-02-03' order by sys_eventTime DESC limit 100
|
use LogLogic_Appliance | sys_eventTime between '2016-02-02' and '2016-02-03' | sort by sys_eventTime DESC | limit 100
|
Displays top 100 results for records sorted by time in descending order.
|
| select sys_eventTime, sys_body from LogLogic_Appliance where sys_eventTime between '2016-02-02 14:34:34' and '2016-02-03 12:00:00' ORDER BY sys_eventTime DESC LIMIT 100
|
use LogLogic_Appliance | sys_eventTime between '2016-02-02 14:34:34' and '2016-02-03 12:00:00' | sort by sys_eventTime DESC | LIMIT 100
|
Display sorted first page of results for events ordered by time in descending order.
|
| select ll_sourceUser, count(*) from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03' group by ll_sourceUser
|
use LogLogic_Appliance | group by ll_sourceUser columns ll_sourceUser, count(*) | sys_eventTime between '2016-02-02' and '2016-02-03'
|
Displays grouped results based on the source users.
|
| select ll_sourceUser, max(sys_eventTime), min(sys_eventTime), count(*) from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03' group by ll_sourceUser
|
use LogLogic_Appliance | group by ll_sourceUser columns max(sys_eventTime), min(sys_eventTime), count(*) | sys_eventTime between '2016-02-02' and '2016-02-03'
|
Displays the count of rows for distinct source users and its corresponding maximum timestamp and minimum timestamp.
|
| select ll_sourceUser, (max(ToLong(sys_eventTime ))- min(ToLong(sys_eventTime) ))/1000 as seconds from LogLogic_Appliance where sys_eventTime IN -10y group by ll_sourceUser
|
use LogLogic_Appliance | sys_eventTime in -10y | group by ll_sourceUser COLUMNS ll_sourceUser, (max(ToLong(sys_eventTime) )- min(ToLong(sys_eventTime)) )/1000 as seconds
|
Demonstrates the use of a complex expression in the COLUMNS statement. For each user, calculate the difference in time between the earliest and latest events. The time values are first converted to LONG (milliseconds), then subtracted, and finally divided by 1000 to convert the milliseconds to seconds.
|
|
select geoiplookup(sys_collectIP,"location"), sys_collectIP from Microsoft_Windows where sys_collectIP like '128%'
|
use Microsoft_Windows_Windows | sys_collectIP like '128%' |COLUMNS sys_collectIP, geoiplookup(sys_collectIP,"location")
|
Returns location information such as latitude, longitude, time zone corresponding to the IPv4 address specified in the
sys_collectIP parameter.
|
| select geoiplookup(sys_collectIP,"country"), sys_collectIP from Microsoft_Windows where sys_collectIP like '128%'
|
use Microsoft_Windows | sys_collectIP like '128%' |COLUMNS sys_collectIP, geoiplookup(sys_collectIP,"country")
|
Returns the country corresponding to the IPv4 address specified in the
sys_collectIP parameter.
|
| select geoiplookup(sys_collectIP,"country"), sys_collectIP from Microsoft_Windows where sys_collectIP like '2001%'
|
use Microsoft_Windows | sys_collectIP like '2001%' | COLUMNS sys_collectIP, geoiplookup(sys_collectIP,"country")
|
Returns the country corresponding to the IPv6 address specified in the
sys_collectIP parameter.
|
| select * from system where matchcidr("192.168.56.101/32", sys_collectIP)
|
If sys_collectIP="192.168.56.101",198.168.56.101", then:
use system | matchcidr("192.168.56.101/32", sys_collectIP)
|
Returns the data that includes
sys_collectIP as 192.168.56.101, because the IP address is within the CIDR range of "192.168.56.101/32".
|
| select * from system where matchcidr("198.168.0.0-198.168.255.255",sys_collectIP)
|
If sys_collectIP="192.168.56.101",198.168.50.101", then:
use system | matchcidr("198.168.0.0-198.168.255.255",sys_collectIP)
|
Returns the data that includes
sys_collectIP as 198.168.50.101, because the IP address is within the range of "198.168.0.0-198.168.255.255".
|
- select * from system where matchcidr("IPList",sys_collectIP)
- select * from system where matchcidr("IPList",sys_collectIP, "IP1")
|
For an enrichment list named
IPList:
{"192.168.56.101/32":"IP1","191.163.56.101/32":"IP2","198.168.0.0-198.168.255.255":"IP3","2001:4860:4860::8888/32":"IP4"}
and if
sys_collectIP="192.168.56.101",198.168.56.101", then:
- use system | matchcidr("IPList",sys_collectIP)
- use system | matchcidr("IPList",sys_collectIP,"IP1")
|
Returns the data that includes
sys_collectIP as 192.168.56.101, because this IP address is within the range 192.168.56.101/32 and matches the key IP1.
|
