Events and flows query examples

Use or edit query examples to create events and flows queries that you can use for your AQL searches.

Use the following query examples to get information about events and flows in your network or edit these examples to build your own custom queries.

Important: When you query events, you must type events in lowercase.

Event rates and flow rates for specific hosts

SELECT AVG(Value), "Metric ID", Hostname
FROM events 
WHERE LOGSOURCENAME(logsourceid) 
ILIKE '%%health%%' 
AND ("Metric ID"='FlowRate' OR "Metric ID"='EventRate') 
GROUP BY "Metric ID", Hostname 
LAST 15 minutes

This query outputs the AVG_Value, Metric ID, and Hostname columns from the events or flows database for the last 15 minutes.

The AVG_Value column returns a value for the average flow or event rate over the last 15 minutes for the host that is named in the Hostname column.

EPS rates by log source

SELECT logsourcename(logsourceid) 
AS 'MY Log Sources', 
SUM(eventcount) / 2.0*60*60 
AS EPS_Rates
FROM events 
GROUP BY logsourceid 
ORDER BY EPS_Rates DESC 
LAST 2 HOURS

This query outputs My Log Sources, and EPS_Rates columns from events.

The My Log Sources column returns log source names and the EPS_Rates column returns the EPS rates for each log source in the last two hours.

Event counts and event types per day 

SELECT
DATEFORMAT( devicetime, 'dd-MM-yyyy') 
AS 'Date of log source',
QIDDESCRIPTION(qid) 
AS 'Description of event', COUNT(*)
FROM events
WHERE devicetime >( now() -(7*24*3600*1000) )
GROUP BY "Date of log source", qid 
LAST 4 DAYS

This query outputs the Date of log source, Description of event, and count of event columns from events.

The date of the event, description of event, and count of events are returned for the last four days.


Monitoring local to remote flow traffic by network

SELECT sourceip, 
LONG(SUM(sourcebytes+destinationbytes)) 
AS TotalBytes 
FROM flows 
WHERE flowdirection= 'L2R' 
AND NETWORKNAME(sourceip) 
ILIKE 'servers' 
GROUP BY sourceip
ORDER BY TotalBytes

This query outputs the sourceip and TotalBytes columns.

The TotalBytes column returns the sum of the source and destination bytes that crosses from local to remote.


Monitoring remote to local flow traffic by network

SELECT sourceip, 
LONG(SUM(sourcebytes+destinationbytes)) 
AS TotalBytes 
FROM flows 
WHERE flowdirection= 'R2L' 
AND NETWORKNAME(sourceip) 
ILIKE 'servers' 
GROUP BY sourceip
ORDER BY TotalBytes

This query outputs the sourceip and TotalBytes columns.

The TotalBytes column returns the sum of the source and destination bytes from remote to local.

Copying query examples from the AQL guide

If you copy and paste a query example that contains single or double quotation marks from the AQL Guide, you must retype the quotation marks to be sure that the query parses.