Query
The query tab allows configuring queries that can be used in the Workbench and the corresponding search commands. Currently, it is only possible to save queries within S3SPL's app context. Queries created outside of S3SPL's app context but shared globally are visible and editable. However, if you change the query's sharing configuration to App, the query will no longer be visible to S3SPL.
To see all parameters of a query, extend a query using the arrow on the left in the row of the bucket. To hide the details, click the same arrow again.
Extend to see all available query parameters
| Parameter | Description | Required | Example |
|---|---|---|---|
| Name | The name of the query | ✔️ | palo-blocked-port-replacement |
| Description | The description of the query | ✔️ | Get all blocked connections with configurable src and dest port |
| Query | The query that should be executed | ✔️ | src_port=$src_port$ AND dest_port=$dest_port$ |
| Timestamp Used | Whether the query uses a timestamp | ✔️ | Yes |
| Timestamp Field | The field that contains the timestamp | ✔️ | _time |
| Timestamp Format | The format of the timestamp in the logs. | ✔️ | numeric |
| Replacements | The replacements that should be applied to the query. See Replacements for more information | ✔️ | |
| Fields | The fields that should be returned by the query | ❌ | src_ip, dest_ip, src_port, dest_port |
| Field Delimiter | Delimiter between fields for querying CSV files | ❌ | , |
| Record Delimiter | Delimiter between records for querying CSV files | ❌ | \n |
| Index Field | The field that contains the index of the events returned | ❌ | |
| Source Field | The field that contains the source of the events returned | ❌ | |
| Sourcetype Field | The field that contains the source type of the events returned | ❌ | |
| Host Field | The field that contains the host of the events returned | ❌ | |
| Raw Field | The field that contains the raw event of the events returned | ❌ | |
| Reading Roles | The roles that are allowed to read the bucket configuration and subsequently run queries towards it | ✔️ | s3spl_admin |
| Writing Roles | The roles that are allowed to write the bucket configuration. Writing is furthermore restricted to s3spl_admin, sc_admin and admin roles | ✔️ | s3spl_admin |
| Sharing | The sharing configuration of the bucket | ✔️ | App |
Creating a Query
To create a new query, open the Query tab and click on the Add Query button in the top right corner. Fill out the form and click on Add. The query can be used in the Workbench and the corresponding search commands.
Updating a Query
To update a query, open the Query tab and click on the Update button in the row of the query that should be updated. Fill out the form and click on Update. The query can be used in the Workbench and the corresponding search commands.
It is not possible to change the name of a query. If the name of a query should be changed, the query has to be deleted and a new query with the desired name has to be created.
Deleting a Query
To delete a query, open the Query tab and click on the Delete button in the row of the query that should be deleted. Confirm the deletion by clicking on Delete.
Deleting a query is irreversible. The query will be deleted.
Running a Query
The configuration page does not allow for directly running a query. Please use the Workbench as described in the Workbench section.