Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Basic Trix Queries

Query

Explanation

* in log.audit | trix trix.uniqueIds.fields = (

...

user)

...

user column as a unique

...

key - mandatory

* in log.audit | trix trix.uniqueIds.fields = (

...

user) trix.uniqueSubIds.fields = (

...

pid)

...

pid column as an optional unique key

* in log.audit | trix trix.uniqueIds.fields = (

...

user) trix.uniqueSubIds.fields = (

...

pid) cep.name=(session id)

The name for each

...

complex event will be determined by the session id value

* in log.audit | trix trix.uniqueIds.fields = (

...

user) trix.uniqueSubIds.fields = (

...

pid) cep.name=(session id) cep.groups=(session id)

groups list will be determined by the session id values

* in log.audit | trix trix.uniqueIds.fields = (

...

user) trix.uniqueSubIds.fields = (

...

pid) cep.name=(session id) cep.groups=(session id) type=(thread)

types list will be determined by the thread values

Data-filtered Trix Queries

Query

Explanation

* in log.audit | trix trix.uniqueIds.fields = (

...

user) cepNode.maxEventLimit=3

Max number of events for each

...

complex event

* in log.audit | trix trix.uniqueIds.fields = (

...

userstartRule = (

...

Event Description contains session has startedendRule = (

...

Event Description contains was terminated)

Start and End conditions.

To filter only the ceps which stand by the start and end conditions, add the following:

 | where hasstartevent = true and hasendevent = true

* in log.audit | trix trix.uniqueIds.fields = (

...

usercepNode.timeframe.limit = (5 seconds)

The

...

complex event will be closed after limit-Time has expired

* in log.audit | trix trix.uniqueIds.fields = (

...

usercepNode.event.timeframe.limitFromStart = (10 minutes)

Only events which are less than limitTimeFromStart from the first event will be added to the transaction.

Complex Trix Queries

Advanced usage of the Trix function, using multiple limitations:

Code Block
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50  cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category)

Complex table as an output, which relies on Trix values:

Code Block
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50  cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) |  list cep.id as nodeId, cep.starttime as starttime in date format , cep.endtime as endtime in date  format , cep.eventscount as events count, cep.fullstate as state,cep.startEvent as startevent, cep.endEvent as endevent, cep.key as key | order by nodeid desc

A query with custom columns added to the cep by the user:

enrichments.pid.first = (pid)

enrichments.pid.all = (context)

enrichments.<name>.<type> - allows adding additional columns to the meta of the cep.

name - the name of the output column to use.

type - the type of the extraction, currently can be ‘first’ (extracts the first value it encounters) or ‘all’ (extracts all values) - optional

Code Block
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context