To execute a basic query, you can start with just a simple stream selection. In DNIF, Stream is a specific collection of data that is used as a log. The data is written to and read from the log stream in a specific format so that all the instances of a particular stream are diverted into a single segment.
The basic syntax is as follows:
stream = stream_name
- Stream is the standard DQL keyword to retrieve data.
- Stream_name: It represents the name of the stream from where data will be retrieved.
Let's now look at a practical example:
On execution of the above DQL query, it should retrieve all fields for each event where the stream is a firewall.
Events can be matched by specifying criteria to match the fields in the event to other values. The where clause filters data returned by the query based on the conditions you specify immediately after the where keyword. Hence, you can use this clause to search for events based on the values of one or more fields in various permutations as desired.
For example, the following DQL query matches events with an event type of stream and a dstport of 22:
stream=firewall where dstport=22
In the above example, stream is a firewall and it also specifies a value for the matching condition. It will retrieve all fields for each event where the stream is a firewall and the destination port is 22.
Below are some more examples,
stream=firewall where dstport=53 and dstip!='220.127.116.11' stream=firewall where dstport=53 and (dstip='18.104.22.168' or dstip='22.214.171.124')
Non-numeric values must also be enclosed with single quotes. For example, stream=firewall where dstport=53 and user='abc'