Athena User Guide

Querying Data

All alerts generated by StreamAlert will be sent to an alerts S3 bucket via Firehose. These will then be searchable within Athena.

To get started with querying of this data, navigate to the AWS Console, click Services, and type ‘Athena’.

When the service loads, switch the DATABASE option in the dropdown to streamalert:

StreamAlert Athena Database Selection

To view the schema of the alerts table, click the eye icon:

StreamAlert Athena Alerts Schema

To make a query, type a SQL statement in the Query Editor, and click Run Query:

StreamAlert Athena Run Query

The query shown above will show the most recent 10 alerts.

Tips

Data is partitioned in the following format YYYY-MM-DD-hh-mm.

An example is 2017-08-01-22-00.

To increase query performance, filter data within a specific partition or range of partitions.

With StreamAlert tables, the date partition is the dt column.

As an example, the query below counts all alerts during a given minute:

StreamAlert Athena Run Query with Partition

For additional guidance on using SQL, visit the link under Concepts.