ELSA subsearches

35 views
Skip to first unread message

sfritzke

unread,
Oct 11, 2016, 7:59:02 AM10/11/16
to enterprise-log-search-and-archive
Hi,

I use ELSA in Security Onion and want to select only NEW snort events that have occurred the last day (or the last week, etc...).

In SQL syntax my query will be something like this:

select distinct signature_id, signature from event today

where today.timestamp >=  TO_TIMESTAMP('2016-10-11','YYYY-MM-DD')   

and today.timestamp <= TO_TIMESTAMP('2016-10-12','YYYY-MM-DD')

and today.signature_id

NOT IN

(select distinct(signature_id) from event yesterday

where yesterday.timestamp >=  TO_TIMESTAMP('2016-10-10','YYYY-MM-DD')

and yesterday.timestamp <= TO_TIMESTAMP('2016-10-11','YYYY-MM-DD')

);


How can I write this search query in ELSA to get the desired results?


Best regards,


Suzan.

Reply all
Reply to author
Forward
0 new messages