Basic Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) | user column as a unique key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) | pid column as an optional unique key |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) | The name for each complex event will be determined by the session id value |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id) | groups list will be determined by the session id values |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id) type=(thread) | types list will be determined by the thread values |
Data-filtered Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.maxEventLimit=3 | Max number of events for each complex event |
* in log.audit | trix trix.uniqueIds.fields = (user) startRule = (Event Description contains session has started) endRule = (Event Description contains was terminated) | Start and End conditions. To filter only the ceps which stand by the start and end conditions, add the following: | where hasstartevent = true and hasendevent = true |
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.timeframe.limit = (5 seconds) | The complex event will be closed after limit-Time has expired |
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.event.timeframe.limitFromStart = (10 minutes) | Only events which are less than limitTimeFromStart from the first event will be added to the transaction. |
Complex Trix Queries
Advanced usage of the Trix function, using multiple limitations:
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category)
Complex table as an output, which relies on Trix values:
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) | list cep.id as nodeId, cep.starttime as starttime in date format , cep.endtime as endtime in date format , cep.eventscount as events count, cep.fullstate as state,cep.startEvent as startevent, cep.endEvent as endevent, cep.key as key | order by nodeid desc
A query with custom columns added to the cep by the user:
Extra Fields | Explanation |
---|---|
enrichments.pid.first = (pid) enrichments.pid.all = (context) |
|
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context