You don't need to adhere to the syntax field=value. īecause string values must be in double quotation marks, the syntax becomes flexible. The string value must be enclosed in double quotation marks. The WHERE clause contains a string value for the action field. The following table shows a few examples of when to use double quotation marks with string values: For backward compatibility with SPL, the SPL2 search command always expects the field name on the left side of the equal ( = ) sign and the value on the right side of the equal sign. The only exception for the quotation requirement is with the search command. In your search syntax, enclose all string values in double quotation marks ( " ).Įnclosing string values in quotation marks adds flexibility to the ways you can specify the search syntax.įor example, to search for events where the field action has the value purchase, you can specify either action="purchase" or "purchase"=action. Field names that start anything other than an alphabetical character or the underscore ( _ ) character must be enclosed in single quotation marks. When a field name contains a special character, you must enclose the field name in single quotation marks.Ī number is the first character in the field name 5minutes. This example uses the round function on the value field to round the values to two decimal places.Ī period is used to rename the field that is generated when max(size) is calculated. When you use a special character or a number as the first character in a field name, the field name must be enclosed in single quotation marks. When a field name contains spaces, you must enclose the field name in single quotation marks.Ī special character is used in the new field created by the eval command. Spaces are used to rename the field that is generated when sum(bytes) is calculated. When a wildcard is used to search for a field name, you must enclose the field name in single quotation marks. This example uses the lower function on the username field to return the values in lowercase.Ī wildcard is used in the SELECT clause to search for all fields that start with "bytes". The following table shows a few examples of when to use quotation marks with field names:Ī dash is used in the new field created by the eval command, and so the field name low-user is enclosed in single quotation marks. This includes the wildcard ( * ) character, the dash ( - ), and the space character. SELECT _time, source FROM main WHERE `invalid user sshd`įROM main WHERE `user "ladron" from 192.0.2.0/24`įield names that begin with anything other than a-z, A-Z, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ).įield names that contain anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks ( ' ). With a search literal, an AND condition is implied between each of the terms. You have a series of logon events that include failed password events. For more information, see Search literals in expressions. A search literal is a way to search for one or more terms that appear in your data. Use back tick characters to enclose a search literal. Because string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs. Use double quotation marks to enclose all string values. Use single quotation marks around field names that include special characters, spaces, dashes, and wildcards.įROM main SELECT avg(cpu_usage) AS 'Avg Usage' The following table describes when different types of quotation marks are used: In SPL2, you use quotation marks for specific reasons.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |