Skip to main content

Filtering fields

A CQ can select desired fields from a stream, cache, or WActionStore and discard the rest. For example, this CQ from MultiLogApp selects only two of the fields (accessTime and srcIp) from its input stream:

CREATE TYPE AccessLogEntry (
    srcIp String KEY,
    userId String,
    sessionId String,
    accessTime DateTime ...

CREATE STREAM HackerStream OF AccessLogEntry;
...

CREATE CQ SendHackingAlerts 
INSERT INTO HackingAlertStream 
SELECT 'HackingAlert', ''+accessTime, 'warning', 'raise',
  'Possible Hacking Attempt from ' + srcIp + ' in ' + IP_COUNTRY(srcIp)
FROM HackerStream;