Tips for designing Investigate query parameters

Tips for designing Investigate query parameters

Query parameters allow users to create variables to be used in an individual query and can be referenced multiple times within the query.


This feature facilitates writing queries that often refer to changing values the user would otherwise have to update hardcoded SQL for.


Example:


Write a query that looks up processes for a specific day that matches a name. 


  • Navigate to "Investigate" page.
  • Select "Manage parameters" button next to the save button in the Investigate toolbar. A dialog will appear.
  • Select "Add parameter" and specify a key and data type for the parameters. 

                Note : The key is case sensitive. camelCase is recommended, but not required. Lowercase and underscores may also be used.

  • Add a parameter with key "uptDay" with data type "Number"
  • Add a parameter with key "name" with data type "Text"
  • Closing the dialog box and save the query. 

                Note : Though closing the parameters dialog box results in displaying of parameters,  since parameters pertain to an individual query, the query has to be saved for these parameters to be retained for later runs of the query.

  • Write the following query. Note how the parameters are referenced using :keyName format 

                SELECT * FROM processes WHERE name LIKE :name AND upt_day = :uptDay LIMIT 100

  • In the parameters, add a value for  name (like %chrome%) and uptDay (like 20190531).
  • Click run. You'll see that the query used the values from your inputs in the query


Known Issue(s) :


    In the current release, once a query is saved with parameters, it is not possible to add / modify existing parameters. This is being addressed in future releases. Alternatively, a new query with intended set of parameters can be created.


    • Related Articles

    • Auto tagging using global query

      This article provides details on how to create auto tag rules using a global query. Currently, auto tagging using a global query can be achieved using API only. GUI based solution will be available in release 77. Global query based auto tag rules can ...
    • Default permissions assigned to a role

      Following permissions are minimal permissions and are assigned to a role by default even if they are not provisioned. ALERT_RULE:READ ALERT:READ API_KEY:READ ASSET:READ ASSET_CLOUD_INSTANCES:READ ASSET_GROUP_RULE:READ ATC_QUERY:READ AUDIT_RULE:READ ...
    • Guidelines for SQL Alerts Rules / Events Rules / Scheduled Queries

      Consider time it takes for events / data shows up in the back-end. On Uptycs portal, data should be visible on the backend in less than 6 minutes. Note : 6 min delay is already coded in for :from and :to variables. upt_server_time BETWEEN :from AND ...
    • How To Limit Endpoint Resource Utilization

      Introduction The Uptycs osquery agent is designed for low resource utilization on your endpoints, however there may still be some cases where you need to limit resource utilization, this article describes how.  Watchdog  'Configuration -> Flag ...
    • osqueryd Flags and command line guide

      $ sudo osqueryd --help Password: osquery 3.3.2.45-Uptycs, your OS as a high-performance relational database Usage: osqueryd [OPTION]...  osquery command line flags: --flagfile PATH Line-delimited file of additional flags --D Run as a daemon process ...