SELECT statement
Use the SELECT statement to define the criteria that you use to retrieve event or flow data.
Use the SELECT
statement to define the columns (fields) that you want to output
from your query. You can use the SELECT statement to output data from an AQL function by using a
column alias. Typically, you refer to events or flows in your SELECT statement but you can also use
the SELECT
statement with the GLOBALVIEW
database, or any other
database that you might have access to.
Use the SELECT
statement to select the columns that you want to display in the
query output.
SELECT
statement can include the following elements:- Fields from the events or flows databases
- Custom properties from the events or flows databases
- Functions that you use with fields to represent specific data that you want to return.
For example, the function
ASSETHOSTNAME(sourceip)
searches for the host name of an asset by source IP address at a specific time.
Use an asterisk (*) to denote all columns.
Field names and SELECT
and FROM
statements are not
case-sensitive. For example, the following query uses different cases and it parses.
select Sourceip, DATEFORMAT(starTTime,'YYYY-MM-dd HH:mm') as startTime from events WHERE
username is noT Null GROUP BY sourceip ordER BY starttime lAsT 3 houRS
The following examples are queries that use SELECT statements:
SELECT * FROM flows
Returns all columns from the flows database.
SELECT sourceip, destinationip FROM events
Returns only the
sourceip
anddestinationip
columns from the events database.SELECT sourceip, * FROM flows
Returns the
sourceip
column first, which is followed by all columns from the flows database.SELECT sourceip AS 'MY Source IPs' FROM events
Returns the
sourceip
column as the alias or renamed column 'MY Source IPs
'.SELECT ASSETHOSTNAME(sourceip) AS 'Host Name', sourceip FROM events
Returns the output of the function
ASSETHOSTNAME
as the column nameHost Name
, and thesourceip
column from the events database.