Finding sessions using AQL syntax

If you are an experienced programmer and want to write complex queries, you can use AQL statements on the command line.

To use AQL to find sessions at the command line:

  1. Open a Command window and navigate to the Audit Analyzer directory.
    cd “C:\Program Files\Centrify\Audit\AuditAnalyzer”
  2. Run the findsessions command with the following syntax:

    FindSessions /i=”InstallationName” /aql=”AQL query text

    For example, the following is a simple query that searches for sessions that were running in the current week:

    findsessions -i=”MyInstallation” /aql=”1 time is in this week”

    To find a specific session using the session identifier, you might write a query similar to the following:

    FindSessions /i="MyInstallation" /a="1 sessionid = 
    \"a4006f20‑6465-4db1-a2e7-a4e1f646c835\"\"

    To find a specific session using the user display name, you might write a query similar to the following:

    findsessions /i="installationname" /a="1 displayname=\"maya*\"\"

    Note:   When you enter a search term, AQL looks for an exact match. To search for sessions that start with the term you entered, add an asterisk to the search term. For example, user=\"maya*\"\" finds sessions for users such as maya@acme.com, mayan@acme.com, and so forth. Otherwise, a search for user=\"maya\"\" returns nothing and a search for user=\"maya@acme.com\"\" returns sessions for just that one user.

    Note:   If the last field that you're search for includes double quotes, you need to escape the quotes. For example, findsessions -i=”MyInstallation” /aql=”1 time is in this week” doesn't have this issue but FindSessions /i="MyInstallation" /a="1 sessionid =  \"a4006f20‑6465-4db1-a2e7-a4e1f646c835\"\" does.