Limiting the complexity of queries in alert investigation mode

When investigating an alert, the complexity of SQL queries for event filtering is limited if the Related to alert option is selected in the drop-down list of event sources. If this is the case, only the functions and operators listed below are available for event filtering.

If the All events option is selected from the drop-down list of event sources, these limitations do not apply.

• SELECT
  • The * character is used as a wildcard to represent any number of characters.
• WHERE
  • AND, OR, NOT, =, !=, >, >=, <, <=
  • IN
  • BETWEEN
  • LIKE
  • inSubnet

  Examples:

  • WHERE Type IN ('Base', 'Correlated')
  • WHERE BytesIn BETWEEN 1000 AND 2000
  • WHERE Message LIKE '%ssh:%'
  • WHERE inSubnet(DeviceAddress, '10.0.0.1/24')
• ORDER BY

  Sorting can be done by column.

• OFFSET

  Skip the indicated number of lines before printing the query results output.

• LIMIT

  The default value is 250.

  If you are filtering events by user-defined period and the number of strings in the search results exceeds the defined value, you can click the Show next button to display additional strings in the table. This button is not displayed when filtering events by the standard period.

When filtering by alert-related events in alert investigation mode, you cannot perform operations on the data of event fields or assign names to the columns of displayed data.

Page top