Transactional query refinements
Refine transactional AQL queries by using the EXPLICIT expression with the BEGIN and END expressions. Also, use the TIMEOUT and TIMEWINDOW expressions to specify time intervals.
Use the EXPLICIT expression with the BEGIN and END expressions to apply more precise filtering to your transactional queries.
For example, you might use the BEGIN expression with the EXPLICIT END expression to capture several (BEGIN) unsuccessful login attempts, which are followed by an (EXPLICIT END) successful login.
Use the TIMEOUT and TIMEWINDOW expressions to apply time filters for the sessions in your transactional queries.
Expressions
Use the expressions that are described in the following to refine your transactional AQL query:
| Query expressions | Description |
|---|---|
| BEGIN | A session is started when you get an event where the BEGIN expression is met or the previous event ends the session. |
| EXPLICIT BEGIN | Starts a new session only if the EXPLICIT BEGIN expression is true. |
| END | A session is ended when you get an event where the END expression is true or the next event starts a new session. |
| EXPLICIT END | Closes the current session only if the EXPLICIT END expression is true. |
| TIMEOUT | Closes the session when the specified TIMEOUT period elapses from the time that the previous event occurred to the time that the current event happened. |
| TIMEWINDOW | Tracks the session time. Closes the session when the specified TIMEWINDOW period elapses from the time that the first event occurred to the time that the current event happened. |
- Syntax
-
SESSION BY <TimeExpression> <ExpressionList> [EXPLICIT] BEGIN <booleanExpression> [EXPLICIT] END <booleanExpression> TIMEOUT <IntegerLiteral millieseconds> TIMEWINDOW <IntegerLiteral SECONDS|MINUTES|HOURS|DAYS>
The following examples show the examples of results that you get by using different combinations of the available query expressions:
BEGIN and END expressions
A BEGIN expression starts a session when an event matches the BEGIN expression or the previous event ends the session.
An END expression ends a session when the END expression is true for an event or the next event starts a new session.
By using the EXPLICIT expression with the BEGIN and END expressions, you apply a more precise filter that refines the result set.
See the following examples of queries and results.
The following query example uses BEGIN and END expressions.
Select sessionId,
DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss')
start_time, username, sourceip,
category from events into TR1
where username = 'user_x'
SESSION BY starttime username, sourceip
BEGIN category=16001
END category=16003
start '2016-12-10 16:00' stop '2016-12-10 23:30'The following table shows the results for the query that uses BEGIN and END.
| sessionID | start_Time | user name | sourceip | category |
|---|---|---|---|---|
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16001 |
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:10 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:10 | user_x | 10.2.2.10 | 16003 |
| 4 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16003 |
EXPLICIT BEGIN and END expressions
Events are skipped when a session is not started and an event is not an EXPLICIT
BEGIN event.
Select sessionId,
DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss')
start_time, username, sourceip,
category from events into TR2
where username='user_x'
SESSION BY starttime username, sourceip
EXPLICIT BEGIN category=16001
END category=16003 start '2016-12-10 16:00'
stop '2016-12-10 23:30'The following table shows the results for the query that uses EXPLICIT BEGIN and END.
| sessionID | start_Time | user name | sourceip | category |
|---|---|---|---|---|
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16001 |
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:07 | user_x | 10.2.2.10 | 16001 |
| 2 | 2016-12-10 16:00:07 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16003 |
| 4 | 2016-12-10 16:00:14 | user_x | 10.2.2.10 | 16001 |
| 5 | 2016-12-10 16:00:15 | user_x | 10.2.2.10 | 16001 |
| 5 | 2016-12-10 16:00:15 | user_x | 10.2.2.10 | 16003 |
Only events that satisfy the EXPLICIT BEGIN expression are returned.
Sessionid 2 and Sessionid 4 in the EXPLICIT BEGIN and
END don't satisfy the EXPLICIT BEGIN expression.
BEGIN and EXPLICIT END
Close current session only if the EXPLICIT END expression is true. There are no more checks for BEGIN events in the session when the EXPLICIT END expression is true.
Multiple BEGIN events in a single session can be associated with one EXPLICIT
END expression. For example, you might use the EXPLICIT END expression for
counting multiple failed login attempts that are followed by a successful login during a specific
time interval (session timeout).
The following query example uses BEGIN and EXPLICIT END expressions.
Select sessionId,
DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss')
start_time, username, sourceip,
category from events into TR3
where username = 'user_x'
SESSION BY starttime username, sourceip
BEGIN category=16001
EXPLICIT END category=16003
start '2016-12-10 16:00'
stop '2016-12-10 23:30'The following table shows the results for the query that uses BEGIN and EXPLICIT END expressions.
| sessionID | start_Time | user name | sourceip | category |
|---|---|---|---|---|
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16001 |
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:07 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:10 | user_x | 10.2.2.10 | 16001 |
| 2 | 2016-12-10 16:00:10 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16003 |
| 4 | 2016-12-10 16:00:12 | user_x | 10.2.2.10 | 16003 |
| 4 | 2016-12-10 16:00:12 | user_x | 10.2.2.10 | 16001 |
| 4 | 2016-12-10 16:00:12 | user_x | 10.2.2.10 | 16003 |
| 5 | 2016-12-10 16:00:13 | user_x | 10.2.2.10 | 16001 |
| 4 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16003 |
EXPLICIT BEGIN and EXPLICIT END
Events are ignored when a session is not started and an event is not an EXPLICIT BEGIN event.
Close current session only if the EXPLICIT END expression is true. There are no more checks for BEGIN events in the session when the EXPLICIT END expression is true.
The following query example uses both EXPLICIT BEGIN and EXPLICIT END expressions.
Select sessionId,
DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss')
start_time, username, sourceip,
category from events into TR4
where username = 'user_x'
SESSION BY starttime username, sourceip
EXPLICIT BEGIN category=16001
EXPLICIT END category=16003
start '2016-12-10 16:00'
stop '2016-12-10 23:30'The following table shows the results for the query that uses both EXPLICIT BEGIN and EXPLICIT END expressions.
| sessionID | start_Time | user name | sourceip | category |
|---|---|---|---|---|
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16001 |
| 1 | 2016-12-10 16:00:06 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:10 | user_x | 10.2.2.10 | 16001 |
| 2 | 2016-12-10 16:00:10 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:11 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:12 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:12 | user_x | 10.2.2.10 | 16003 |
| 4 | 2016-12-10 16:00:13 | user_x | 10.2.2.10 | 16001 |
| 4 | 2016-12-10 16:00:14 | user_x | 10.2.2.10 | 16001 |
| 4 | 2016-12-10 16:00:14 | user_x | 10.2.2.10 | 16003 |
| 5 | 2016-12-10 16:00:15 | user_x | 10.2.2.10 | 16001 |
| 5 | 2016-12-10 16:00:15 | user_x | 10.2.2.10 | 16003 |
TIMEOUT
Closes the session when the specified TIMEOUT period elapses from the time that the previous event occurred to the time that the current event happened. The current event becomes part of a new session. The TIMEOUT value is specified in milliseconds.
The following query example uses the TIMEOUT expression.
Select sessionId,
DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss.SSS')
start_time, username, sourceip,
category from events into TR5
where username='user_x'
SESSION BY starttime username, sourceip
BEGIN category=16001
EXPLICIT END category=16003
TIMEOUT 3600
start '2016-12-10 16:00'
stop '2016-12-10 23:30'The following table shows the results for the query that uses the TIMEOUT expression.
| sessionID | start_Time | user name | sourceip | category |
|---|---|---|---|---|
| 1 | 2016-12-10 16:00:06.716 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:10.328 | user_x | 10.2.2.10 | 16001 |
Sessionid 1 is ended and sessionid 2 is started because the TIMEOUT of 3600 is exceeded.
TIMEWINDOW
Tracks the session time. Closes the session when the specified TIMEWINDOW period elapses from the time that the first event occurred to the time that the current event happened. The current event becomes part of a new session. The TIMEWINDOW value can be specified in seconds, minutes, hours, or days.
The following query example uses the TIMEWINDOW expression.
Select sessionId,
DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss.SSS')
start_time, username, sourceip,
category from events into TR6
where username='user_x'
SESSION BY starttime username, sourceip
BEGIN category=16001
EXPLICIT END category=16003
TIMEWINDOW 3000
start '2016-12-10 16:00'
stop '2016-12-10 23:30'The following table shows the results for the query that uses the TIMEWINDOW expression.
| sessionID | start_Time | user name | sourceip | category |
|---|---|---|---|---|
| 1 | 2016-12-10 16:00:06.415 | user_x | 10.2.2.10 | 16001 |
| 1 | 2016-12-10 16:00:06.433 | user_x | 10.2.2.10 | 16003 |
| 2 | 2016-12-10 16:00:06.716 | user_x | 10.2.2.10 | 16003 |
| 3 | 2016-12-10 16:00:10.328 | user_x | 10.2.2.10 | 16001 |
| 3 | 2016-12-10 16:00:06.328 | user_x | 10.2.2.10 | 16003 |
Sessionid 1 is within the TIMEWINDOW expression time but sessionid 2 is ended because the TIMEWINDOW of 3600 is exceeded.