Using Relational Operators With Fetch Directive


In reference to the latest DNIF release notes v6.8.0, we can now use relational operators to compare integer data within the _fetch directive itself.

Relational operators like greater than >, less than <, greater than equal to >= and less than equal to <= can now be used during numeric value comparison to get the required data.

For example, if we would like to see only those events and their source IPs for which the size of the event data is more than 2KB, then the query can be written as:

_fetch $EvtLen, $SrcIP from event where $EvtLen>2024 limit 100
image

Or, if we would like to see only those events and their source IPs for which the size of the event data is less than 2KB, then the query can be written as:

_fetch $EvtLen, $SrcIP from event where $EvtLen<2024 limit 100

|——————————-| |image|

Similarly, we can use the >= (greater than equal to) and <= (less than equal to) as shown below :

_fetch $EvtLen, $SrcIP from event where $EvtLen>=2024 limit 100
image
_fetch $EvtLen, $SrcIP from event where $EvtLen<=2024 limit 100
image