AQL Functions Reference

Lookup Functions

Function Description Example

Function	Description	Example
`APPLICATIONNAME(id)`	App name from ID	`APPLICATIONNAME(applicationid)`
`PROTOCOLNAME(id)`	Protocol name from ID	`PROTOCOLNAME(protocolid)`
`ASSETHOSTNAME(ip, time, direction)`	Hostname from asset DB	`ASSETHOSTNAME(sourceip, NOW(), 0)`
`LOGSOURCENAME(id)`	Log source name	`LOGSOURCENAME(logsourceid)`
`QIDNAME(qid)`	Event name from QID	`QIDNAME(qid)`
`CATEGORYNAME(cat)`	Category name	`CATEGORYNAME(category)`

APPLICATIONNAME(id)

App name from ID

APPLICATIONNAME(applicationid)

PROTOCOLNAME(id)

Protocol name from ID

PROTOCOLNAME(protocolid)

ASSETHOSTNAME(ip, time, direction)

Hostname from asset DB

ASSETHOSTNAME(sourceip, NOW(), 0)

LOGSOURCENAME(id)

Log source name

LOGSOURCENAME(logsourceid)

QIDNAME(qid)

Event name from QID

QIDNAME(qid)

CATEGORYNAME(cat)

Category name

CATEGORYNAME(category)

Function Description Example

Function	Description	Example
`NOW()`	Current timestamp	`WHERE starttime > NOW() - 1 HOURS`
`DATEFORMAT(ts, fmt)`	Format timestamp	`DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm')`

NOW()

Current timestamp

WHERE starttime > NOW() - 1 HOURS

DATEFORMAT(ts, fmt)

Format timestamp

DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm')

Function Description Example

Function	Description	Example
`INCIDR(cidr, ip)`	Check if IP in CIDR	`INCIDR('10.0.0.0/8', sourceip)`
`GEO::LOOKUP(ip, field)`	Geo lookup	`GEO::LOOKUP(sourceip, 'country')`

INCIDR(cidr, ip)

Check if IP in CIDR

INCIDR('10.0.0.0/8', sourceip)

GEO::LOOKUP(ip, field)

Geo lookup

GEO::LOOKUP(sourceip, 'country')

If you get "Database 'flows' is invalid" you’re in the wrong context!