General Query Attributes

The following fields in the Query section are required attributes for creating queries.

General Query Attributes

Query Fields

Description

Name

Name for the query. Spaces and special characters are OK. This is an alias for the query that appears in pick lists in other editors.

Query on

From the drop-down menu, select one of the following data sources:

  • Event - Select Event if you want to create a report or view trends on event activity

  • Active List - Select Active List to query or view trends on list entries. Additionally select a Query Type. If you are creating a list query with asset-related conditions, see also Example: Creating Asset-Related Conditions for Queries on Lists.

    For more about active lists, see List Authoring.

    Cautions:

    • For good query performance, query on case-sensitive lists only.

    • If the active list contains list fields that reference resources (for example, a field that uses any Group variable function), and the query is used by a trend, that trend will not display the list of resource references. Rather, the trend will display only one list element. This limitation does not affect reports and query viewers.

  • Actor - Select Actor to query or view trends on actor information. (For more information on actors, see Actors.)

  • Asset - Select Asset if you want to report or view trends on statistics about the assets on your network, such as a list or count of assets categorized in a particular asset category, or the zone a particular asset is in at a particular time. (For more about assets, see Modeling the Network.)

  • Case - Select Case if you want to report or view trends on the status of cases, such as number of cases opened and resolved. (For more about cases, see Case Management and Queries.)

  • Notification - Select Notification if you want to report or view trends on the status of events sent out in the notification workflow, such as number of events in the Investigate stage. (For more about notifications, see Managing Notifications.)

  • Session List - Select Session List to query or view trends on session activity.

    If you are creating a list query with asset-related conditions, see also Example: Creating Asset-Related Conditions for Queries on Lists.

    For more about session lists, see Managing Session Lists.

    Caution: For good query performance, query on case-sensitive lists. only.

  • Trend - Select Trend if you want to report or maintain trend information on the data gathered in another trend. For instructions about how to build a trend, see Building Trends.

Query On Resource

Available for queries on active and session lists. Select a list from the drop-down panel.

Query Type

Available for queries on active lists. Select one:

  • Snapshot - Select Snapshot if you want the query to return values from the active list with no historical baseline.

  • Interval - Select Interval if you want to view values within a specified period.

Start Time

This field only appears if you are querying on an interval active list, event, or trend. Enter values depending on the data source you selected:

  • Active List, Interval type - Specify the starting point for the data gathering from the specified active list.

  • Event - Specify the starting point for the data gathering from the events database. Event data is generally kept unarchived for 30 days by default, so specify a start time within that time frame.

  • Trend - Specify the starting point for the data gathering from the trends database. Be sure to specify a period within the lifecycle of the trend; otherwise, the query returns an empty result set.

Tip: If the query is used as a base query in a trend, the trend start time overwrites the start time set here. See Trend Parameters.

End Time

This field only appears if you are querying on an interval active list, event, or trend. Enter an end time depending on the type of source data you selected:

  • Active List, Interval type - Specify the ending point for the data gathering from the specified active list.

  • Event - Specify the ending point for the data gathering that is some time after the starting point. Keep in mind that large time spans can mean large amounts of data, which can affect system performance.

  • Trend - Specify the end point for the data gathering that is some time after the starting point.

Tip: If the query is used as a base query in a trend, the trend end time overwrites the end time set here. See Trend Parameters.

Use as Timestamp

This field only appears if you are querying on an interval active list, event, or trend. This field indicates which value to use as the timestamp for the report itself. This value helps with sorting and scheduling.

The following options are available for queries on events and trends:

  • End Time - Select End Time if you want to use the event or trend end-time you specified in the End Time field. The timestamp reflects the event end time. If you are querying on a trend, select this option.

  • Manager Receipt Time - Select Manager Receipt Time to use the time the event was received at the Manager. If you are querying on a trend, this is probably not an appropriate option to choose because in that case, Manager Receipt Time would indicate when the trend is run, rather than when events are received by the Manager.

The following options are available for interval queries on active lists:

  • Date-based field on the active list - This is the default, if such field exists in the active list.

  • Creation Time - When the list was first populated (created)

  • Last Modified Time - When the list was last updated

Row Limit

Set the row limit for the data table. The default is 10000 rows.

Tips:

  • The row limit you set here determines the row limit for reports using this query. Consider how row limit will affect report readability. For example, if you have a simple chart with just the X- and Y- axes, you might want a maximum of 20 rows for a single-page chart. For stacked charts, your data points still correspond to the row limits but but two or more will be on the same column. See also Selecting Data for the Z-Axis on a Chart (Optional) for additional information.

  • If the query is used as a base query in a trend, the trend row limit overwrites the row limit set here. See Trend Parameters.

Distinct Rows

This setting means only unique (distinct) rows appear in the results. For example, if you checked this box and there are duplicate returned rows, only one of them is shown.

Database Hint

This option does not apply to CORR-Engine.

Example:

The following example shows a query definition named VPN Logins Outcome - Hourly. Each time you run this query, it returns VPN login attempts over a one-day period each time based on Start Time ($Now - 1d) and End Time ($Now).

Tip: Entering data in the Common and Assign sections is optional, depending on how your environment is configured. For information about the Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups and Creation Information, see Common Resource Attribute Fields.