Events and Flows Query Examples
Use or edit query examples to create events and flows queries that you can use for your AQL searches.
Use the following query examples to get information about events and flows in your network or edit these examples to build your own custom queries.
Event Rates and Flow Rates for Specific Hosts
SELECT AVG(Value), "Metric ID", Hostname
FROM events
WHERE LOGSOURCENAME(logsourceid)
ILIKE ’%%health%%’
AND ("Metric ID"=’FlowRate’ OR "Metric ID"=’EventRate’)
GROUP BY "Metric ID", Hostname
LAST 15 minutesThis query outputs the AVG_Value, Metric ID, and Hostname columns from the events or flows database for the last 15 minutes.
The AVG_Value column returns a value for the average flow or event rate over the last 15 minutes for the host that is named in the Hostname column.
EPS Rates by Log Source
SELECT logsourcename(logsourceid) AS ’MY Log Sources’, SUM(eventcount) / 2.0*60*60 AS EPS_Rates FROM events GROUP BY logsourceid ORDER BY EPS_Rates DESC LAST 2 HOURS
This query outputs My Log Sources, and EPS_Rates columns from events.
The My Log Sources column returns log source names and the EPS_Rates column returns the EPS rates for each log source in the last two hours.
Event Counts and Event Types Per Day
SELECT DATEFORMAT( devicetime, ’dd-MM-yyyy’) AS ’Date of log source’, QIDDESCRIPTION(qid) AS ’Description of event’, COUNT(*) FROM events WHERE devicetime >( now() -(7*24*3600*1000) ) GROUP BY "Date of log source", qid LAST 4 DAYS
This query outputs the Date of log source, Description of event, and count of event columns from events.
The date of the event, description of event, and count of events are returned for the last four days.
Monitoring Local to Remote Flow Traffic by Network
SELECT sourceip, LONG(SUM(sourcebytes+destinationbytes)) AS TotalBytes FROM flows WHERE flowdirection= ’L2R’ AND NETWORKNAME(sourceip) ILIKE ’servers’ GROUP BY sourceip ORDER BY TotalBytes
This query outputs the sourceip and TotalBytes columns.
The TotalBytes column returns the sum of the source and destination bytes that crosses from local to remote.
Monitoring Remote to Local Flow Traffic by Network
SELECT sourceip, LONG(SUM(sourcebytes+destinationbytes)) AS TotalBytes FROM flows WHERE flowdirection= ’R2L’ AND NETWORKNAME(sourceip) ILIKE ’servers’ GROUP BY sourceip ORDER BY TotalBytes
This query outputs the sourceip and TotalBytes columns.
The TotalBytes column returns the sum of the source and destination bytes from remote to local.
Copying Query Examples from the AQL Guide
If you copy and paste a query example that contains single or double quotation marks from the AQL Guide, you must retype the quotation marks to be sure that the query parses.