Event Query Language Reference
The search query supports EQL and the Operational Intelligence Search Query SQL dialect.
The EQL query is composed of different parts separated by pipe ( | ) character. The pipe delimiter is used to separate the expression and each subsequent expression. Each pipe-delimited expression further processes search results from the preceding expression. For more structured queries, a subset of SQL is supported that is mainly focused on the SELECT statement. Both languages are supported in TIBCO OI Hawk RedTail, but you cannot use a mix of both languages in the same query. All that is available in EQL can be achieved via SQL and vice versa except the following difference:
| • | Multiple EQL filter expression statements, separated by a pipe, are automatically combined using the AND operator into a single filter expression. SQL does not support this feature. |
The EQL and SQL language rules are based on a Backus-Naur Form (BNF)-like notation as follows:
<symbol> ::= <expression> ;
where:
| • | Non-terminal symbols in syntax rules have angle brackets (< >). For example, in the rule <expression> ::= <expression> "+" <integer>; the <expression> is a non-terminal symbol and the rule specifies that as an expression is the addition of any number of integers. |
| • | Terminal symbols are shown in double quotes (" "). For example, the "+" in the previous example. |
| • | As an additional shortcut notation to BNF, optional symbols (that can occur zero or one times) are followed by a question mark (?). For example, in the rule <colNameForSort> ::= <colname> (ASC| DESC)?; a column name used for sort is a column name optionally followed by the keywords ASC or DESC. |
| • | Multiple symbols are grouped together using parenthesis ( ) when some common operation is applied, for example, the selection of one member of the group, or to indicate that the entire group can be repeated zero or more times. An example is shown in the previous bullet item. |
| • | Words that are all capitalized represent keywords (special terminal symbols). For example, the keywords ASC and DESC in the column name for sort described in the previous example. |
All parts of the query are optional, but overall the syntax is:
<EQL_statement> ::= <statement> ("|" <statement> )* ;
<statement> ::= <useStatement> | <filterStatement> | <groupByStatement> | <columnsStatement> | <sortStatement> | <limitStatement>;
String literals and identifiers (including keyspace, column family names, and data model names) are case sensitive but all EQL keywords are not case sensitive. For example, 'USE Windows' and 'use Windows' are treated in the same way.
A special syntax for time range can be used. For details, see Time Range Expressions.
Examples
| Expression | Definition |
|---|---|
USE TS_go_memstats_alloc_bytes_total | sys_eventTime in -1h
|
Using the data model TS_go_memstats_alloc_bytes_total, display all the column values during the past hour. |
USE RT_Self_getMicroAgentInfo | ([Display Name] = 'HawkKubernetesMA') | sys_eventTime IN -1h
|
Using the data model RT_Self_getMicroAgentInfo, display results of all events where the Display Name is 'HawkKubernetesMA' during the past hour. |
Common Search Commands
| Command | Definition |
|---|---|
| USE | Defines the data models, which include the parsing configuration. For details, see USE Statement. |
| COLUMNS | Defines which columns should appear in search results. For details, see COLUMNS Statement. |
| GROUP BY | Groups search results based on specified columns. For details, see GROUP BY Statement. |
| SORT BY | Sorts search results based on the expression. For details, see Time Range Expressions. |
| LIMIT | Limits the size of search results to be displayed. For details, see LIMIT Statement. |
| FILTER | Filters results. For details, see FILTER Statement. |