Sub-Queries

If a query returns too many rows, you can further refine the results by creating a sub-query. Similar to a filter, a sub-query adds modification to the original query, for example, sorting or grouping.

POST <baseurl>/api/v2/query/{id}/subquery/

This is especially useful for user interfaces that allow exploratory querying, where the user is not sure of what exactly to search.

Note: Use sub-queries only when needed, as they are supported only for cached queries and have a performance penalty compared to regular queries.

Creating a sub-query requires only the modification parameter. This parameter is an EQL fragment including the operations that must be applied. EQL and SQL both are supported.

After a sub-query is created, the APIs to retrieve results or status, delete, are equivalent to the APIs for the regular queries. The parameters and results are identical.

Examples of modifications:

Query	Description
`SORT BY ll_sourceUser`	Sort by the column ll_sourceUser
`GROUP BY ll_eventAction \| COLUMNS ll_eventAction, COUNT(*)`	Get the count of events per ll_eventAction
`ll_device = 'MyDevice’`	Get only the events for device MyDevice

Contents

Index

Search Results

Sub-Queries