Athena User Guide

Querying Data

After completion of the Athena Setup and Athena Deploy, alerts generated from StreamAlert are now searchable in the Athena UI.

To get started with querying of this data, navigate to the AWS Console, click Services, and type Athena.

When the service loads, switch the DATABASE option in the dropdown to streamalert:

StreamAlert Athena Database Selection

To view the schema of the alerts table, click the eye icon:

StreamAlert Athena Alerts Schema

To make a query, type a SQL statement in the Query Editor, and click Run Query:

StreamAlert Athena Run Query

The query shown above will show the most recent 10 alerts.

Tips

Data is partitioned in the following format YYYY-MM-DD-hh-mm.

An example is 2017-08-01-22-00.

To increase query performance, filter data within a specific partition or range of partitions.

With StreamAlert tables, the date partition is the dt column.

As an example, the query below counts all alerts during a given minute:

StreamAlert Athena Run Query with Partition

For additional guidance on using SQL, visit the link under Concepts.