Number of events for all sensors with bucket size 1 minute
{"queryType": "topN", "dataSource": "rb_flow", "granularity": "all", "dimension": "sensor_name", "threshold": 1000, "metric": "flows", "aggregations":[{"type":"longSum", "name":"flows", "fieldName":"events"}], "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"] }
Group by msg (signature of the event) showing the event count per msg. It will show the first 25 Signatures with more events
{{"dataSource":"rb_event", "granularity":"all", "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"], "queryType":"groupBy", "aggregations":[{"type":"longSum", "name":"events", "fieldName":"events"}], "dimensions":["msg"], "orderBy":{"type":"default", "limit":25, "columns":[{"dimension":"events", "direction":"DESCENDING"}]}}
Group by Source IP showing the event count per Source IP. It will show all of them
{"dataSource":"rb_event", "granularity":"all", "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"], "queryType":"groupBy", "aggregations":[{"type":"longSum", "name":"events", "fieldName":"events"}], "dimensions":["src"]}
Show all the destinations using dropbox:
{"dataSource":"rb_event", "granularity":"all", "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"], "filter":{"type":"regex", "dimension":"msg", "pattern":"(?i)^.*dropbox.*$"}, "queryType":"timeseries", "orderBy":{"type":"default", "limit":100, "columns":[{"dimension":"events", "direction":"DESCENDING"}]}, "aggregations":[{"type":"longSum", "name":"events", "fieldName":"events"}]}
Show all the destinations using dropbox and with the source address 172.23.31.21:
{"dataSource":"rb_event", "granularity":"all", "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"], "filter":{"type":"and", "fields":[{"type":"regex", "dimension":"msg", "pattern":"(?i)^.*dropbox.*$"}, {"type":"selector", "dimension":"src", "value":"172.23.31.21"}]}, "queryType":"timeseries", "orderBy":{"type":"default", "limit":100, "columns":[{"dimension":"events", "direction":"DESCENDING"}]}, "aggregations":[{"type":"longSum", "name":"events", "fieldName":"events"}]}
Show all the sources using dropbox with one of the following destination: 108.160.163.41 or 108.160.162.104
{"dataSource":"rb_event", "granularity":"all", "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"], "filter":{"type":"and", "fields":[{"type":"regex", "dimension":"msg", "pattern":"(?i)^.*dropbox.*$"}, {"type":"or", "fields":[{"type":"selector", "dimension":"dst", "value":"108.160.162.104"}, {"type":"selector", "dimension":"dst", "value":"108.160.163.41"}]}]}, "queryType":"groupBy", "aggregations":[{"type":"longSum", "name":"events", "fieldName":"events"}], "dimensions":["src"], "orderBy":{"type":"default", "limit":25, "columns":[{"dimension":"events", "direction":"DESCENDING"}]}}
Show the different signatures (msg) varing in a specific interval:
{"dataSource":"rb_event", "granularity":{"type":"period", "period":"pt1m", "timeZone":"Europe/Berlin", "origin":"2013-12-13T09:00:00.000+01:00"}, "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"], "queryType":"timeseries", "aggregations":[{"type":"cardinality", "name":"result", "fieldNames":["msg"]}]}
{"queryType": "topN", "dataSource": "rb_flow", "granularity": "all", "dimension": "sensor_name", "threshold": 1000, "metric": "flows", "aggregations":[{"type":"longSum", "name":"flows", "fieldName":"events"}], "intervals":["2015-05-04T14:47:00/2015-05-04T14:48:00"] }
