SELECT statement

Use the SELECT statement to define the criteria that you use to retrieve event or flow data.

Use the SELECT statement to define the columns (fields) that you want to output from your query. You can use the SELECT statement to output data from an AQL function by using a column alias. Typically, you refer to events or flows in your SELECT statement but you can also use the SELECT statement with the GLOBALVIEW database, or any other database that you might have access to.

Use the SELECT statement to select the columns that you want to display in the query output.

A SELECT statement can include the following elements:

Fields from the events or flows databases
Custom properties from the events or flows databases
Functions that you use with fields to represent specific data that you want to return.
For example, the function ASSETHOSTNAME(sourceip) searches for the host name of an asset by source IP address at a specific time.

Use an asterisk (*) to denote all columns.

Field names and SELECT and FROM statements are not case-sensitive. For example, the following query uses different cases and it parses.

select Sourceip, DATEFORMAT(starTTime,'YYYY-MM-dd HH:mm') as startTime from events WHERE username is noT Null GROUP BY sourceip ordER BY starttime lAsT 3 houRS

The following examples are queries that use SELECT statements:

SELECT * FROM flows
Returns all columns from the flows database.
SELECT sourceip, destinationip FROM events
Returns only the sourceip and destinationip columns from the events database.
SELECT sourceip, * FROM flows
Returns the sourceip column first, which is followed by all columns from the flows database.
SELECT sourceip AS 'MY Source IPs' FROM events
Returns the sourceip column as the alias or renamed column 'MY Source IPs'.
SELECT ASSETHOSTNAME(sourceip) AS 'Host Name', sourceip FROM events
Returns the output of the function ASSETHOSTNAME as the column name Host Name, and the sourceip column from the events database.