Check out the
headlines
headlines
FROM
PQL uses the FROM clause the same way SQL does.
Use the FROM clause to indicate the tree node
to start searching below. For example:
SELECT * FROM /network/device WHERE interface/name = 'eth0'
This query searches for data from devices that have an interface
named 'eth0'. The query starts at the /device
level as indicated in the FROM clause, and looks for the
the information indicated in the SELECT clause, which in this
case is everying.
If run against the sample database, this query returns the following results:
row
*
network
device
system
name 5627
computed_vendor LANIER
computed_model 5627
computed_class printer
computed_score 115
os
version LANIER 5627 5.20
interface
name eth0
mac_address 01:01:02:03:04:05
in_octets 1995335536
out_octets 248342455
oper_status 1
device
system
name ESMITH
computed_vendor Intel
computed_class server
computed_score 10
os
version Linux
interface
name eth0
mac_address 02:A1:A2:A3:A4:A4
in_octets 1229592351
out_octets 1472928781
oper_status 1
interface
nameeth1
mac_address 03:A1:A2:A3:A4:A5
in_octets 0
out_octets 0
oper_status 0
device
system
name AJONES
computed_vendor Intel
computed_class server
computed_score 10
os
version Linux
interface
name eth0
mac_address 04:A1:A2:A3:A4:A8
in_octets 1223098455
out_octets 1523093749
oper_status 1
interface
name eth1
mac_address 05:A1:A2:A3:A4:A9
in_octets 0
out_octets 0
oper_status 0
device
system
computed_model Ethernet Switch
computed_class switch
computed_score 25
os
version Ethernet Switch
interface
name eth0
mac_address 06:13:72:F3:0A:F5
in_octets 0
out_octets 0
oper_status 2
interface
name eth1
mac_address 07:13:72:F3:0A:F6
in_octets 0
out_octets 0
oper_status 2
device
system
name KRYPTON
computed_model Windows Workstation
computed_class workstation
computed_score 125
os
version Darwin Kernel Version 9.2.2
interface
name eth0
mac_address 08:16:CB:FF:FE:66
in_octets 0
out_octets 346
oper_status 1
interface
name eth1
mac_address 09:16:CB:FF:FE:67
in_octets 0
out_octets 0
oper_status 2
interface
name eth2
mac_address 10:16:CB:FF:FE:68
in_octets 0
out_octets 0
oper_status 2
interface
name eth3
mac_address 11:16:CB:FF:FE:69
in_octets 1598233842
out_octets 2360815490
oper_status 1
device
system
name NISSINGETTY
computed_vendor Juniper Networks
computed_model Netscreen Router
computed_class router
computed_score 60
os
version NetScreen-5GT 5.1.043a
interface
name eth0
mac_address 12:10:D8:99:2B:C2
in_octets 1385354750
out_octets 1451321493
oper_status 1
interface
name eth1
mac_address 13:10:D8:99:2B:C1
in_octets 3312952833
out_octets 3239791359
oper_status 1
Example 2:
This query uses a more specific FROM clause,
and finds the number of devices with each port open.
Since there are multiple open values, the tree is rooted at
that level to make sure the grouping works as expected.
SELECT /, count(*) FROM /network/device/evidence/ip/tcp/ports/open GROUP BY /ORDER BY 1
Depending on the database, this query returns results that look something like this:
row 11 count(*)1 row 21 count(*)4 row 22 count(*)17 row 23 count(*)11 row 25 count(*)3 row 53 count(*)1 row 80 count(*)27 row 88 count(*)1 row 111 count(*)2 ...
