Generating an SQL query using a builder

You can use the query builder to generate an SQL query for filtering events.

To generate an SQL query using the builder:

1. Follow the steps to open the events table.
2. Click the button to open the query builder.

   Generate a search query by providing data in the following parameter blocks:

   • SELECT

     Event fields that should be returned. The * value is selected by default, which means that all available event fields must be returned. To adjust the displayed fields, select the desired fields in the drop-down list. Note that Select * increases the duration of the request execution, but eliminates the need to specify the fields in the request.

     When selecting an event field, you can use the field on the right of the drop-down list to specify an alias for the column of displayed data, and you can use the right-most drop-down list to select the operation to perform on the data: count, max, min, avg, sum.

   • FROM

     Data source. Select the events value.

   • WHERE

     Conditions for filtering events.

     To add conditions and groups, click the Add condition and Add group buttons. The AND operator value is selected by default in a group of conditions. Click the operator value to change it. Available values: AND, OR, NOT.

     To change the structure of conditions and condition groups, use the icon to drag and drop expressions.

     To add filter conditions:

     1. In the drop-down list on the left, select the event field that you want to use for filtering.
     2. Select the necessary operator from the middle drop-down list. The available operators depend on the type of value of the selected event field.
     3. Enter the value of the condition. Depending on the selected type of field, you may have to manually enter the value, select it from the drop-down list, or select it on the calendar.

     To delete filter conditions, click the X button. To delete group conditions, click the Delete group button.

   • GROUP BY

     Event fields or aliases to be used for grouping the returned data.

     If you are using data grouping in a query, you cannot customize the events table display, sort events in ascending or descending order, receive statistics, or perform a retrospective scan.

   • ORDER BY

     Columns used as the basis for sorting the returned data. In the drop-down list on the right, you can select the necessary order: DESC — descending, ASC — ascending.

   • LIMIT

     Number of strings displayed in the table.

     The default value is 250.

     If you are filtering events by a user-defined period and the number of strings in the search results exceeds the defined value, you can click the Show next records button to display additional strings in the table. This button is not displayed when filtering events by the standard period.

3. Click the Apply button.

   The current SQL query will be overwritten. The generated SQL query is displayed in the search field.

   To reset the builder settings, click the Default query button.

   To close the builder without overwriting the existing query, click the button.

4. Click the Apply query button to display the data in the table.

   The table will display the search results based on the generated SQL query.

When switching to another section of the web interface, the query generated in the builder is not preserved. If you return to the Events section from another section, the builder will display the default query.