Procedure

Overview

Procedures let you modularize a query and rerun it with different parameter values. They are especially useful when the same log source is reused and only one field condition changes repeatedly.

For example, if you run table *:SNIPER_NGFW in Analysis > Queries, the result includes a level column. If you want to filter only Normal, Debug, or Warning logs while keeping the same base query, you can add the following search condition:

table *:SNIPER_NGFW | search level == $("level")

Once this query is saved as a procedure, you can repeat the same analysis by entering only a different level value.

Procedures provide the following benefits.

Improved reusability and maintainability
Frequently used queries can be modularized as procedures, which makes them easier to reuse and manage. Users can run the required task with only the procedure name and parameter values instead of rewriting the full query.
Improved security
Commands that access external systems, such as dbquery, ftp, and sftp, require permission to use a connect profile. Granting that permission directly can allow arbitrary access to external systems. Procedures can be used to expose only a limited query or operation instead of granting broad access.
Access to Logpresso configuration data
Access to Logpresso system tables requires administrator privileges. If general users need limited access to configuration data, procedures can be used to expose only the required range.
Notes

Check the following points when using parameters in a procedure.

  • Parameters can only be used in certain expressions such as search conditions.
  • Parameters cannot be used for query command names or table names.
  • These restrictions help maintain query stability and prevent SQL injection attacks.

View and Search the Procedure List

You can view and search procedures in Analysis > Procedures.

Procedure List

  • Run: Button that executes the procedure.
  • Name: Procedure name.
  • Description: Procedure description.
  • Owner: User account that created the procedure.
  • Modified At: Last modified time or created time.

To find a specific procedure, use the search box in the toolbar. The search matches keywords in Name or Description and is case-insensitive.

Create Procedure

To create a procedure:

  1. Click Add in the upper-right area of the procedure list.

  2. In the Add Procedure screen, enter the required values and click OK.

    Add Procedure

    • Name: Enter a unique procedure name. Only letters, numbers, and underscores (_) are allowed. Example: sniper_ngfw_by_level

    • Description: Enter a detailed description of the procedure (up to 2,000 characters). Example: Filters SNIPER_NGFW logs by level.

    • Query: Enter the Logpresso query to be executed by the procedure.

      table *:SNIPER_NGFW | search level == $("level")

    • Parameter: Configure the parameters used by the query.

      • Auto Add Parameter: If the query contains a parameter such as $("arg1"), click this button to add it automatically.
      • Add: Click to add a parameter manually.
        • Type: Parameter data type
        • Key: Parameter key used in the query, such as arg1
        • Name: Display name shown to the user
        • Description: Description of the parameter
        • Action: Click the Delete icon at the right side of the row to remove that parameter.
      • Delete All: Removes all parameters at once.

    • Public Sharing: If you enable the Share to all users checkbox, all users can view and run the procedure.

    • User Sharing: If public sharing is not enabled, use the User Sharing search field to find and add specific users who should be allowed to view and run the procedure.

      User sharing example

    • Group Sharing: Use the Group Sharing search field to find and add groups that should be allowed to view and run the procedure.

      Group sharing example

In this scenario, clicking Auto Add Parameter detects the level key automatically. After that, it is useful to organize the row like this:

  • Type: string
  • Key: level
  • Name: Level
  • Description: SNIPER_NGFW level value to filter
Note
If the procedure is used by other objects such as scheduled queries or dashboard widgets, recording that relationship in the description can make maintenance easier.

Cluster Administrators and Administrators can create, edit, and delete all procedures regardless of sharing settings.
Procedure Query

The query defined in a procedure can reference runtime parameter values by using the $() function. The following is an example for sniper_ngfw_by_level.

# Assume the procedure name is sniper_ngfw_by_level.
table *:SNIPER_NGFW | search level == $("level")
  • level is the input parameter compared with the level field in SNIPER_NGFW logs.
  • For example, if you pass Warning, only rows whose level value is Warning are returned.

One common mistake is assuming that $() works like a macro that substitutes raw text. In reality, $() can only be used where an expression is allowed. For example, the following query is invalid because dbquery does not accept a full SQL statement as an expression:

dbquery USERDB $("sql")

Run Procedure

There are two ways to run a procedure.

  • Call it directly in a query by using the proc command.
  • Click the Run button in the procedure list under Analysis > Procedures.
Run the Procedure in a Query

Procedures can be used in most screens that support query execution. For example, in Analysis > Queries you can run it like this.

Procedure Execution Result

Example: calling the sniper_ngfw_by_level procedure

proc sniper_ngfw_by_level("Warning")
  • The value inside the parentheses is passed to the level query parameter. In this example it is a string, so quotation marks are included.
  • You can reuse the same procedure with values such as proc sniper_ngfw_by_level("Normal") or proc sniper_ngfw_by_level("Debug").
  • If the procedure has no parameters, use empty parentheses such as proc procedure_name().
Run the Procedure from the Procedure List

To run a procedure from the list:

  1. In the procedure list, click the button in the row of the procedure you want to run.

    Run Procedure

  2. In the Run Procedure dialog, enter the parameter values and click Run. The entered value must match the parameter Type.

    Input Parameters and Run Procedure

    For this example procedure, you can enter:

    • Type: string
    • Key: level
    • Name: Level
    • Value: Warning

  3. After the procedure runs, the screen moves to Analysis > Queries, and the result is displayed automatically.

    Procedure Execution Result

    In this case, the query screen runs the procedure call in the following form:

    proc sniper_ngfw_by_level("Warning")

Edit Procedure

To edit a procedure:

  1. In the procedure list, click the row of the procedure you want to edit to open its detail view.
  2. In the Edit Procedure screen, update the required values and click Save.
  3. For editable properties, refer to Create Procedure.

Delete Procedure

To delete a procedure:

  1. In the procedure list, select the procedure you want to delete.
  2. Click Delete in the toolbar.
  3. In the Delete Procedure dialog, review the target procedure and click Delete.
Caution
Before deleting a procedure, verify that it is not referenced by other features such as widgets or scheduled queries. If a referenced procedure is deleted, related features may stop working correctly.