When investigating an alert, the complexity of SQL queries for event filtering is limited if the Related to alert option is selected in the drop-down list. If this is the case, only the functions and operators listed below are available for event filtering.
If the All events option is selected from the drop-down list, these limitations are not applied.
SELECT
*
character is used as a wildcard to represent any number of characters.WHERE
AND
, OR
, NOT
, =
, !=
, >
, >=
, <
, <=
IN
BETWEEN
LIKE
inSubnet
Examples:
WHERE Type IN ('Base', 'Correlated')
WHERE BytesIn BETWEEN 1000 AND 2000
WHERE Message LIKE '%ssh:%'
WHERE inSubnet(DeviceAddress, '10.0.0.1/24')
ORDER BY
Sorting can be done by column.
OFFSET
Skip the indicated number of lines before printing the query results output.
LIMIT
The default value is 250.
If you are filtering events by user-defined period and the number of strings in the search results exceeds the defined value, you can click the Show next records button to display additional strings in the table. This button is not displayed when filtering events by the standard period.
When filtering by alert-related events in alert investigation mode, you cannot group the returned data. When filtering by alert-related events in alert investigation mode, you cannot perform operations on the data of event fields or assign names to the columns of displayed data.
Page top