Selecting events based on cache entries
This CQ, from MultiLogApp, selects only events where the IP address is found in a blacklist cache. Events with IP addresses that are not on the blacklist are discarded.
CREATE CQ FindHackers INSERT INTO HackerStream SELECT ale FROM AccessStream ale, BlackListLookup bll WHERE ale.srcIp = bll.ip;
In this context, SELECT ale
selects all the fields from AccessStream
(since its alias is ale
) and none from BlackListLookup
.