...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Basic Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) |
...
user column as a unique |
...
key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) trix.uniqueSubIds.fields = ( |
...
pid) |
...
pid column as an optional unique key |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) trix.uniqueSubIds.fields = ( |
...
pid) cep.name=(session id) | The name for each |
...
complex event will be determined by the session id value |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) trix.uniqueSubIds.fields = ( |
...
pid) cep.name=(session id) cep.groups=(session id) | groups list will be determined by the session id values |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) trix.uniqueSubIds.fields = ( |
...
pid) cep.name=(session id) cep.groups=(session id) type=(thread) | types list will be determined by the thread values |
Data-filtered Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) cepNode.maxEventLimit=3 | Max number of events for each |
...
complex event |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) startRule = ( |
...
Event Description contains session has started) endRule = ( |
...
Event Description contains was terminated) | Start and End conditions. To filter only the ceps which stand by the start and end conditions, add the following: | where hasstartevent = true and hasendevent = true |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) cepNode.timeframe.limit = (5 seconds) | The |
...
complex event will be closed after limit-Time has expired |
* in log.audit | trix trix.uniqueIds.fields = ( |
...
user) cepNode.event.timeframe.limitFromStart = (10 minutes) | Only events which are less than limitTimeFromStart from the first event will be added to the transaction. |
Complex Trix Queries
Advanced usage of the Trix function, using multiple limitations:
Code Block |
---|
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) |
Complex table as an output, which relies on Trix values:
Code Block |
---|
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) | list cep.id as nodeId, cep.starttime as starttime in date format , cep.endtime as endtime in date format , cep.eventscount as events count, cep.fullstate as state,cep.startEvent as startevent, cep.endEvent as endevent, cep.key as key | order by nodeid desc |
A query with custom columns added to the cep by the user:
Code Block |
---|
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context |