This topic describes the supported rule syntax for the IPDB Extractor service through descriptions and examples of supported and unsupported syntax. There is a finite set of syntax that you can use to construct rules for reports using the IPDB Extractor service in this release. This topic contains:
- Descriptions of supported and unsupported syntax with examples.
- Supported aggregate functions.
- Supported operators.
- Sample supported queries.
Supported and Unsupported Syntax
When you construct rules that contain SQL queries against the IPDB database in this release, you must adhere to the descriptions and syntax examples described in the following tables.
Supported Literal (Data) Values Syntax
Unsupported IN Syntax
Unsupported LIKE Syntax
Supported LIST Syntax
Unsupported LIST Syntax
Supported Variable Syntax
When you assign the value of the variable in a run configuration, you must enclose the value within single quotes: 'value'.
Unsupported Variable Syntax
Supported select Clause Syntax
You must include order by and group by columns in select clauses.
Unsupported select Clause Syntax
Supported where Clause Syntax
You must include order by and group by columns in where clauses.
Unsupported where Clause Syntax
Supported order by Clause Syntax
Order by functionality is not case-sensitive.
Supported group by Clause Syntax
Supported Aggregate Functions
The IPDB Extractor service supports the following aggregate functions and syntax in this release.
You can use distinct with aggregation functions as shown in the following syntax:
Sample Supported Queries
select msg.id, ip.src, ip.dst, user.dst where size is not null
select msg.id, size, ip.srcport where msg.id='109007' and size not between '10' and '20'
select max(distinct(size)) where msg.id in ('109007','109001')
select * where size != '99' and ip.src = '18.104.22.168'
select ip.srcport,ip.dstport where ip.dst != '22.214.171.124' order by ip.dstport asc
select ip.srcport,ip.dstport where ip.dst != '126.96.36.199' order by ip.dstport asc,ip.srcport desc
select ip.srcport,ip.dstport where ip.dst != '188.8.131.52' group by ip.srcport,ip.dstport order by min(distinct(ip.dstport)) asc, sum(distinct(ip.srcport)) desc
select time where time = ‘2012-sep-04 13:09:03’
select * where ip.src = '184.108.40.206' and ip.dst != '10.31.125.90' or ip.dst!= '220.127.116.11'