Selecting events based on cache entries

This CQ, from MultiLogApp, selects only events where the IP address is found in a blacklist cache. Events with IP addresses that are not on the blacklist are discarded.

CREATE CQ FindHackers
INSERT INTO HackerStream
SELECT ale 
FROM AccessStream ale, BlackListLookup bll
WHERE ale.srcIp = bll.ip;

In this context, SELECT ale selects all the fields from AccessStream (since its alias is ale) and none from BlackListLookup.

Would you like to provide feedback? Just click here to suggest edits.

Selecting events based on cache entries

Search results