Skip to main content
Version: 2.4

Example of Collector creation

Collector is a type of database (data stream) for which we can configure a process that periodically queries for specific data. The data acquired by the process feeds the Collector database. Collector data can be used in two ways:

  1. As a simple database with data on which you can work and transform data.
  2. As a collection of data that can be used as a filter when querying another stream with data.

We will analyze the process of creating a Collector using the example of a Collector that will collect and save TOP 10 Client IPs in Last 15 Minute Timeline.


To create a new Collector, go to [Configuration->Objects->Collector] menu and click New collector button.


The wizard for creating a new Collector appears.


  1. In the Id field, we enter the Collector NQL name.


  2. The collector has two modes of saving data:

    • Append switch OFF - Data collected from a query are overwritten (default mode). image-20220815151851432
    • Append switch ON - Data collected from a query are saved until the limit specified in the Max Records field is exceeded. image-20220815152005727
  3. Collector (data query) can be triggered in two ways specified in the Trigger type field:

    • Simple - launch every interval of time specified in the Repeat interval field. The Repeat count field specifies the number of launches - when it is empty the query will be executed indefinitely.


    • Crone - launched using job scheduler on Unix-like operating systems. image-20220815155550318

  4. In the Time range field, set the time range on which Collector will operate. image-20220815161850365

  5. In the NQL field we enter the syntax of the query - in our case it is:

    src stream="netflowByIpAggr" | where direction=0 | aggr clientBytes=sum(clientBytes) by ipAddress unwind=true | sort clientBytes desc | limit 10


  6. Using the Test button, we can test how our query works - what data will be returned. image-20220815162249932

  7. If all the necessary fields of the form have been correctly completed press Save button to save the created object.