Versions Compared

Version Old Version 6 New Version 7
Changes made by

Leigh Purdie

Leigh Purdie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15 AND DATE='today'

This query will search for logins by AJSmith, in the first 15 minutes of each hour of the current day.

Precedence in Queries

Snare query components are evaluated in the order specified in the query; however precedence can be explicitly specified using brackets……



Note: See Atlassian doco for sample..

Reference


Description

Reference

Field

A field in SnareQL is a word that represents a field within a particular log type.

Operator

An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the NOT keyword.

Logical Element

A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query

  • AND

  • OR

  • NOT

Value

A string designed to represent the contents of a field in an event within the Snare Central datastore.

Function

A function in SnareQL appears as a word followed by parentheses, which may contain a field.

A function performs a calculation on the contents of the field (the value) and returns the results.

  • 15MIN(TIME) - quadrant

  • 15MINFLOOR(TIME) - time to the 15 minute floor (eg: 17:23:45 will be 17:15:00)

  • HOUR(TIME) - 0-24

  • HOURMINUTE(TIME) - 17:23

  • MINUTE(TIME)

  • SECONDS(TIME)

  • DAYOFWEEK(DATE) - 1: Sunday, 2: Monday, .. 7: Saturday

...

MOVE THIS STUFF ^^ down into an info table.

Precedence in Queries

...