Cisco Cisco Firepower Management Center 2000 Entwickleranleitung

LIMIT 0, 25;

 

Keep in mind that all times in the database are in UTC. Although the 

 function is allowed, 

it only provides results in UTC.

Note that some events have microsecond resolution associated with them. Use the 

 and 

 

functions to concatenate the UNIX timestamp and the microsecond increment. For example, the 
following statement queries the 

 table:

SELECT CONCAT(FROM_UNIXTIME(event_time_sec)), '.', LPAD (event_time_usec, 6, '0')), 

HEX(host_id),

rule_message

FROM intrusion_event

LIMIT 0, 25;

 

To query the database for events with a particular UNIX timestamp, use the 

 function.

Although the system limits the joins you can perform on Cisco database tables, it does still allow some 
expensive queries - queries that may negatively impact the performance of your Defense Center.

Therefore, you should try to limit the result set for large tables. Strategies include:

constraining queries to a specific time range

constraining queries by IP address

using the 

 clause

Depending on your deployment, querying many tables may require a limited result set. In particular, the 
following tables can contain up to 100 million events on a DC3000:

(pre-Version 5.0 name: 

)

(pre-Version 5.0 name: 

)

Queries on network map tables may also be expensive, depending on the number of hosts the system has 
detected on your monitored network.

The following sections provide tips on ensuring unique results when you build queries that include 
detection engines or intrusion events.

Device names are not necessarily unique across multiple Defense Centers. To ensure uniqueness, 
include a specific device UUID in your query.