This topic describes the supported rule syntax for the IMDB service through descriptions and examples of supported and unsupported syntax. There is a finite set of syntax that you can use to construct rules for reports using the IMDB service in this release. This topic contains:
- Descriptions of supported and unsupported syntax with examples.
- Supported aggregate functions.
- Supported operators.
- Sample supported queries.
Supported and Unsupported Syntax
When you construct rules that contain SQL queries against the IMDB database in this release, you must adhere to the descriptions and syntax examples described in the following tables.
Supported Literal (Data) Values Syntax
Supported select Clause Syntax
You must include order by and group by columns in select clauses.
Unsupported select Clause Syntax
Supported where Clause Syntax
You must include order by and group by columns in where clauses.
Unsupported where Clause Syntax
Supported order by Clause Syntax
Order by functionality is not case-sensitive.
Supported group by Clause Syntax
Supported Aggregate Functions
The IMDB Extractor service supports the following aggregate functions and syntax in this release.
You can use distinct with aggregation functions as shown in the following syntax:
Sample Supported Queries
select alert.name, alert.numEvents, alert.severity where alert.severity exists
select alert.host_summary, alert.name where alert.host_summary contains '10.30.94.34'
select alert.name, alert.numEvents, count(alert.numEvents)
select alert.severity, avg(alert.severity)
select alert.timestamp, incidentCreated where alert.timestamp >= 1475658011
Sample Unsupported Queries
You cannot use timestamp meta values in where clause other than EPOCH format. For example, where : incidentCreated = "Tue Oct 25 07:15:38 UTC 2016".
You cannot use a nested select (sub-query) to get the msg.idfield on some other condition. For example,
Ex :- select incidentId where incidentid IN (select incidentId from table where alert.source = ‘ESA’)
You cannot enclose columns in parentheses. For example, select (alert.name), (alert.source), incidentId, receivedTime where alert.severity is not null.