Striim 3.9.7 documentation

Selecting events based on cache entries

This CQ, from MultiLogApp, selects only events where the IP address is found in a blacklist cache. Events with IP addresses that are not on the blacklist are discarded.

CREATE CQ FindHackers
INSERT INTO HackerStream
SELECT ale 
FROM AccessStream ale, BlackListLookup bll
WHERE ale.srcIp = bll.ip;

In this context, SELECT ale selects all the fields from AccessStream (since its alias is ale) and none from BlackListLookup.