Search Examples
Some search examples for reference.
| SQL Expression | EQL Expression | Definition |
|---|---|---|
| select sys_eventTime,sys_body from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03' | use LogLogic_Appliance columns sys_eventTime, sys_body | sys_eventTime between '2016-02-02' and '2016-02-03' | Displays results from the LogLogic_Appliance data model where the records have the timestamp between '2014-02-02' and '2014-02-03'. |
| select * from LogLogic_Appliance where sys_body like '%Authentication%' and sys_eventTime between '2016-02-02' and '2016-02-03' | use LogLogic_Appliance "Authentication" and sys_eventTime between '2016-02-02' and '2016-02-03' | Displays results from the LogLogic_Appliance data model with "Authentication" in the event body. |
| select * from LogLogic_Appliance where sys_body like '%logon%' and sys_eventTime between '2016-02-02' and '2016-02-03' limit 10 | use LogLogic_Appliance | sys_body like '%logon%' | limit 10 | sys_eventTime between '2016-02-02' and '2016-02-03' | Demonstrates an example of a 'like' statement to display a limit of 10 results. |
| select * from LogLogic_Appliance where sys_eventKey REGEXP '[az0-9|]*' and sys_eventTime in -10y limit 10 | use LogLogic_Appliance | sys_eventKey REGEXP '[a-z0-9|]*' | sys_eventTime in -10y | limit 10 | Demonstrates an example of the REGEXP expression matching. |
| select * from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03' order by sys_eventTime DESC | use LogLogic_Appliance | sys_eventTime between '2016-02-02' and '2016-02-03' | sort by sys_eventTime DESC | Displays events sorted by time for records having timestamp for the specified dates in descending order. |
| select * from LogLogic_Appliance where sys_eventTime between
'2016-02-02' and '2016-02-03' order by sys_eventTime DESC limit 100 |
use LogLogic_Appliance | sys_eventTime between '2016-02-02' and '2016-02-03' | sort by sys_eventTime DESC | limit 100 | Displays top 100 results for records sorted by time in descending order. |
| select sys_eventTime, sys_body from LogLogic_Appliance where sys_eventTime between '2016-02-02 14:34:34' and '2016-02-03 12:00:00' ORDER BY sys_eventTime DESC LIMIT 100 | use LogLogic_Appliance | sys_eventTime between '2016-02-02 14:34:34' and '2016-02-03 12:00:00' | sort by sys_eventTime DESC | LIMIT 100 | Display sorted first page of results for events ordered by time in descending order. |
| select ll_sourceUser, count(*) from LogLogic_Appliance wheresys_eventTime between '2016-02-02' and '2016-02-03' group by ll_sourceUser | use LogLogic_Appliance | group by ll_sourceUser columns ll_sourceUser, count(*) | sys_eventTime between '2016-02-02' and '2016-02-03' | Displays grouped results based on the source users. |
| select ll_sourceUser, max(sys_eventTime), min(sys_eventTime), count(*) from LogLogic_Appliance where sys_eventTime between '2016-02-02' and '2016-02-03' group by ll_sourceUser | use LogLogic_Appliance | group by ll_sourceUser columns max(sys_eventTime), min(sys_eventTime), count(*) | sys_eventTime between '2016-02-02' and '2016-02-03' | Displays the count of rows for distinct source users and its corresponding maximum timestamp and minimum timestamp. |
| select ll_sourceUser, (max(ToLong(sys_eventTime ))- min(ToLong(sys_eventTime) ))/1000 as seconds from LogLogic_Appliance where sys_eventTime IN -10y group by ll_sourceUser | use LogLogic_Appliance | sys_eventTime in -10y | group by ll_sourceUser COLUMNS ll_sourceUser, (max(ToLong(sys_eventTime) )- min(ToLong(sys_eventTime)) )/1000 as seconds | Demonstrates the use of a complex expression in the COLUMNS statement. For each user, calculate the difference in time between the earliest and latest events. The time values are first converted to LONG (milliseconds), then subtracted, and finally divided by 1000 to convert the milliseconds to seconds. |
Copyright © Cloud Software Group, Inc. All rights reserved.