Search Assistant Projections

Projections combine with your search statements to specify which columns display your search results, and how your search results appear in the list. By default, Alert Logic displays search results in descending order by time received and log message. The Search Assistant helps you create projections by providing suggestions as you type.

SELECT

Every projection statement must start with SELECT, which specifies the data field names that appear as columns in the search results list. The order of the SELECT fields in the projection determines the order, from left to right, of the columns in the results list. You can combine this projection clause with others to further customize the display of your results.

The default projection appears as:
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC

AS

Use AS to create an alias for a field name. The alias ensures the search result displays a cryptic field name as a column name with a more readable, descriptive name. You must type the alias between quotation marks.

ORDER BY

Use ORDER BY in a projection to specify the SELECT data field by which to sort search results. You must follow the ORDER BY clause with either DESC or ASC to specify descending or ascending order. If you want to order the results by a column that you named using AS, you must use the alias value you created, including the quotation marks.

GROUP BY

Use GROUP BY in the projection to specify a data field by which to group search results. If you want to group the results by a column that you named using AS, you must use the alias value you created, including the quotation marks.

GROUP BY PERMUTED

Use GROUP BY PERMUTED if you want to group search results by all the values in a specified data field. This projection statement provides more flexibility than GROUP BY, because it allows you to group results by all tokens in a log message, regardless of whether they are parent or child tokens.

COUNT

Use COUNT to display the total number of results that match one or more of the SELECT fields.

The following projection returns a list that shows the user name, the number of log messages that include the user name, and also orders the list by the number of messages, and groups the results by host name:
SELECT [User Name], COUNT (Message) AS "MessageCount" ORDER BY "MessageCount" DESC GROUP BY [Host Name]

HAVING

Use HAVING to specify that the statement you create displays search results where aggregated values meet the conditions determined by the field you specify.

SUM

Use SUM to return the total from a specified numeric column in the results.

AVG

Use AVG to return the average value of the specified numeric column.

MIN

Use MIN to return the smallest value of the specified numeric column.

MAX

Use MAX to return the largest value of the specified numeric column.