Using sorting for events
This section explains how sorting works, describes sorting syntax for events, and provides sorting examples.
About sorting
Sorting is a special string that can be specified in RPC calls. Sorting can be combined with filters or used separately from them. A sorting is a group of conditions that specify the order of returned events.
For example, if you want to get events with the GetItemsById method of EventProviderService, and you also want those events to be sorted by event identifier (in descending order), then you can use the following sorting to do so:
sort: { event_id: desc } |
For examples of using sorting, see subsection "Making event requests with sorting" below.
Combining sorting with filters
Sorting can be combined with filters.
sort: { event_id: desc } filter: { event_id = 100, 101, 102, 103 } |
For an example of using filters with sorting, see subsection "Making event requests with sorting" below.
Sorting condition syntax
Sorting conditions use the following syntax:
field : order
Above, field is the name of the field affected by the condition, and order is one of the following two values:
ascField values are sorted in ascending order.
descField values are sorted in descending order.
For compound fields use the following syntax:
field.subfield : order
Above, field is the name of the field, subfield is the name of the subfield affected by the condition, and order is the order of sorting.
To combine several sorting conditions, separate them with commas (,):
field_1 : order, field_2 : order, field_3 : order
The following are examples of sorting conditions:
event_id : asc src_address.port: desc occurred : desc monitoring_point : asc, occurred : desc |
Field names (event requests)
The following table summarizes field names that can be used in event requests:
Field names (event requests)
Field name |
Subfields |
Description |
|---|---|---|
|
No |
Event title |
|
No |
Event description |
|
No |
User mark |
|
No |
Date and time when an event occurred |
|
No |
Event severity |
|
No |
Technology that generated the event |
|
No |
Name of the rule that generated the event |
|
Yes |
Source address |
|
Yes |
Destination address |
|
No |
Protocol name |
|
No |
Event identifier |
|
No |
Event type identifier |
|
No |
Monitoring point |
Subfield names
The following table summarizes subfield names can be used in sorting conditions for fields that can have subfields:
Subfield names
Field name |
Description |
|---|---|
|
IPv4 address |
|
Port |
|
MAC address |
|
Virtual LAN (VLAN) ID |
Making event requests with filters
The following EventProviderService methods use sorting:
GetItemsByIdYou can specify a sorting in the
ItemsByIdRequestmessage.RequestItemsYou can specify a sorting in the
Filtermessage.
The following is an example of using sorting to get events with the GetItemsById method:
eventStub = event_provider_service_pb2_grpc.EventProviderStub(channel)
request = common_pb2.ItemsByIdRequest( maxCount=3, filter="sort:{monitoring_point : asc, occurred : desc}" ) response = eventStub.GetItemsById(request) for event in response: print("\nEvent id:", event.eventId) |
The following is an example of combining sorting and filters to get events with the GetItemsById method:
eventStub = event_provider_service_pb2_grpc.EventProviderStub(channel)
request = common_pb2.ItemsByIdRequest( maxCount=3, filter="filter: {severity = critical} sort: {event_id: desc}" ) response = eventStub.GetItemsById(request) for event in response: print("\nEvent id:", event.eventId) |