HAVING clause

Use the HAVING clause in a query to apply more filters to specific data by applying filters to the results after the GROUP BY clause.

The HAVING clause follows the GROUP BY clause.

You can apply the following filters when you use a HAVING clause in a query:

  • Equal sign (=)
  • Not equal to symbol (<>)
  • Less than symbol (<)
  • Greater than symbol (>)
  • Less that or equal to symbol (<=)
  • Greater than or equal to symbol (>=)
  • BETWEEN between two values, for example (64 AND 512)
  • LIKE case-sensitive match
  • ILIKE case insensitive match
  • SUM/AVG total or average values
  • MAX/MIN maximum or minimum values

Examples of HAVING clauses

The following query example shows results for users who triggered VPN events from more than four IP addresses (HAVING 'Count of Source IPs' > 4) in the last 24 hours.

SELECT username, UNIQUECOUNT(sourceip) AS 'Count of Source IPs' 
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%vpn%' 
AND username IS NOT NULL
GROUP BY username 
HAVING "Count of Source IPs" > 4 
LAST 24 HOURS
Note: When you type an AQL query, use single quotation marks for a string comparison, and use double quotation marks for a property value comparison.

The following query example shows results for events where the credibility (HAVING credibility > 5) is greater than five. 

SELECT username, sourceip, credibility 
FROM events
GROUP BY sourceip
HAVING credibility > 5 
LAST 1 HOURS

The following query groups results by source IP but displays only results where the magnitude (HAVING magnitude > 5) is greater than five. 
SELECT sourceIP, magnitude
FROM events 
GROUP BY sourceIP
HAVING magnitude > 5