    Alert when Flows from IP Addresses are present using the SDK- SourceIP field throwing error

    johnny ringo


      I am trying to create an alert to trigger when certain flows were present in the last hour at certain sites on my network.  However when I try to build a SWQL query to check for certain flows, I get the error "Not a valid IP Address" for the SourceIP Field.  The Field is labeled a string in SWQL Studio.  Why is it throwing this error?  PS- I am using NTA 4.1.1.


      PS- Thanks for the help!


      SELECT Top 10 F.NodeID, SUM(F.TotalBytes) AS TotalBytes, NC.City, A.Name, F.SourceIP

      From Orion.NetFlow.Flows AS F

      LEFT JOIN Orion.Nodes N ON F.NodeID = N.NodeID

      LEFT Join Orion.NodesCustomProperties NC ON N.NodeID = NC.NodeID

      LEFT JOIN Orion.NetFlow.Applications A on A.ApplicationID = F.ApplicationID

      Where (F.TimeStamp>=(GetUTCDate()-0.04167)) and F.SourceIP LIKE '%192.168.%'

      GROUP BY F.SourceIP, F.NodeID, A.Name, NC.City

      ORDER BY TotalBytes DESC