Table of Contents
Advertisement
10
U
AQL Q
SING THE
Using Where
Clauses
Using the Group By
Clause
CLI
UERY
select <query item> from <flows|events> where
<sourceCIDR|destinationCIDR> = '<CIDR Range>'
For example:
select * from flows where sourceCIDR = '10.100.100/24'
This command returns all flows coming from the 10.100.100 subnet. To capture
flows coming from and into the subnet use the regular OR expression as follows:
select * from events where sourceCIDR = '10.100.100/24' OR
destinationCIDR = '10.100.100/24'
You can restrict your AQL queries using
operators in the clause include
comparison operators include:
For example,
select sourceIP, category, credibility from events where
severity > 9 and category = 5013
select sourceIP, category, credibility from events where
(severity > 9 and category = 5013) or (severity < 5 and
credibility > 8)
The
clause also supports the
where
settings passed to the AQL CLI. The
keyword to specify the start and end time bounds of the query. All time
between
constraints must be entered as either UNIX timestamps or formatted date/time
strings.
You can only use the
can only query a continuous span of time in a single AQL command.
The logical operator for the
clause should be the
variable as the last constraint of the query and the
variable and the rest of the
arieltime
You can use the
group by
aggregation is combined with arithmetic functions on remaining columns to provide
meaningful results of the aggregation. For example, to enter a query to investigate
the IP addresses that sent more than 1 million bytes within all flows in a specific
time frame, you must enter:
select sourceIP, SUM(sourceBytes) from flows where sourceBytes >
1000000 group by sourceIP
AQL Event and Flow Query CLI Guide
where
,
, and parentheses. Also, the supported
and
OR
=, <, >, >=, <=, and !=
arieltime
arieltime
variable once in a single query. Therefore, you
arieltime
variable and the remainder of the
arieltime
operator. We recommend that you use the
and
where
clause to aggregate your data. Typically, data
clauses. The supported logical
variable, which overrides the time
variable must be used with the
operator between the
and
clause.
where
arieltime
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series
Need help?
Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE and is the answer not in the manual?
Questions and answers