SELECT specific fields from both streams on an INNER JOIN is not working

[canob]

Environment:

• eKuiper version: 1.12.1-slim, Docker
• Hardware configuration: x86_64
• OS: Ubuntu 22.04.3 LTS

What happened and what you expected to happen:
When I try to declare specific fields of both streams on a SQL query with an INNER JOIN, I'm getting and empty JSON object, {} in the output file.

For example, with this SQL query, using * FROM, I obtain all the fields of the first stream, and all the fields of the second stream, but the problem here is that some of the fields of the first stream have the same name of the fields of the second stream, so I lost that fields in the JOIN:

SELECT * FROM failed_logins_count_same_user INNER JOIN successful_logins
ON `failed_logins_count_same_user.account_for_which_logon_failed.account_name` = `successful_logins.new_logon.account_name`
GROUP BY TumblingWindow(ss, 60)

But when I try to do this SQL query with specific fields on SELECT, I get an empty JSON object, {}, in the output file:

SELECT from_unix_time(`failed_logins_count_same_user.StartTime`) AS failed_StartTime,
from_unix_time(`failed_logins_count_same_user.EndTime`) AS failed_EndTime,
`failed_logins_count_same_user.EventRecordIDs` AS failed_EventRecordIDs,
`failed_logins_count_same_user.Total` AS failed_TotalFailedLogins,
`failed_logins_count_same_user.failure_information.failure_reason` AS failed_FailureReason,
`failed_logins_count_same_user.logon_type` AS failed_LogonType,
`successful_logins.TimeCreated` AS successful_EndTime,
`successful_logins.EventRecordID` AS successful_EventRecordID,
`successful_logins.detailed_authentication_information.logon_process` AS successful_LogonProcess,
`successful_logins.logon_information.logon_type` AS successful_LogonType,
`successful_logins.new_logon.account_domain` AS UserDomain,
`successful_logins.new_logon.account_name` AS UserName,
`successful_logins.network_information.workstation_name` AS WorkstationName,
`successful_logins.network_information.source_network_address` AS NetworkAddress,
`successful_logins.Computer` AS Computer
FROM failed_logins_count_same_user INNER JOIN successful_logins
ON `failed_logins_count_same_user.account_for_which_logon_failed.account_name` = `successful_logins.new_logon.account_name`
AND `failed_logins_count_same_user.network_information.workstation_name` = `successful_logins.network_information.workstation_name`
GROUP BY TumblingWindow(ss, 60)

How to reproduce it (as minimally and precisely as possible):
The raw event received on first stream, failed_logins_count_same_user:

{"EndTime":1704656880000,"EventID":"4625","EventRecordIDs":["8175416","8175417","8175418","8175419","8175420","8175422","8175423","8175424","8175425","8175426"],"StartTime":1704656820000,"Total":10,"account_for_which_logon_failed.account_domain":"LAB","account_for_which_logon_failed.account_name":"Administrator","failure_information.failure_reason":"Unknown user name or bad password.","logon_type":"3","network_information.workstation_name":"AGUIDA-NTB"}

The raw event received on second stream, successful_logins, in the next 60 seconds of the first event:

{"ActivityID":"","Channel":"Security","Computer":"LABDC.LAB.ARG","DescriptionTitle":"An account was successfully logged on.","EventID":"4624","EventRecordID":"8156680","Keywords":"0x8020000000000000","Level":"0","Opcode":"0","ProcessID":"656","ProviderGUID":"","ProviderName":"Microsoft-Windows-Security-Auditing","RelatedActivityID":"","Task":"12544","ThreadID":"8344","TimeCreated":"2024/01/06 02:36:25.18752200","UserID":"","Version":"2","detailed_authentication_information.authentication_package":"NTLM","detailed_authentication_information.key_length":"128","detailed_authentication_information.logon_process":"NtLmSsp","detailed_authentication_information.package_name_(ntlm_only)":"NTLM V2","detailed_authentication_information.transited_services":"-","impersonation_level":"Impersonation","logon_information.elevated_token":"Yes","logon_information.logon_type":"3","logon_information.restricted_admin_mode":"-","logon_information.virtual_account":"No","network_information.source_network_address":"10.199.0.84","network_information.source_port":"0","network_information.workstation_name":"AGUIDA-NTB","new_logon.account_domain":"LAB","new_logon.account_name":"Administrator","new_logon.linked_logon_id":"0x0","new_logon.logon_guid":"{00000000-0000-0000-0000-000000000000}","new_logon.logon_id":"0x15319407F","new_logon.network_account_domain":"-","new_logon.network_account_name":"-","new_logon.security_id":"S-1-5-21-1212037701-3946723201-1981249032-500","process_information.process_id":"0x0","process_information.process_name":"-","subject.account_domain":"-","subject.account_name":"-","subject.logon_id":"0x0","subject.security_id":"S-1-0-0"}

The result output to a file of the SQL query that is working (the first one in the example at the top):

{"ActivityID":"","Channel":"Security","Computer":"LABDC.LAB.ARG","DescriptionTitle":"An account was successfully logged on.","EndTime":1704656880000,"EventID":"4625","EventRecordID":"8175445","EventRecordIDs":["8175416","8175417","8175418","8175419","8175420","8175422","8175423","8175424","8175425","8175426"],"Keywords":"0x8020000000000000","Level":"0","Opcode":"0","ProcessID":"656","ProviderGUID":"","ProviderName":"Microsoft-Windows-Security-Auditing","RelatedActivityID":"","StartTime":1704656820000,"Task":"12544","ThreadID":"1840","TimeCreated":"2024/01/07 19:48:17.167877000","Total":10,"UserID":"","Version":"2","account_for_which_logon_failed.account_domain":"LAB","account_for_which_logon_failed.account_name":"Administrator","detailed_authentication_information.authentication_package":"Kerberos","detailed_authentication_information.key_length":"0","detailed_authentication_information.logon_process":"Kerberos","detailed_authentication_information.package_name_(ntlm_only)":"-","detailed_authentication_information.transited_services":"-","failure_information.failure_reason":"Unknown user name or bad password.","impersonation_level":"Impersonation","logon_information.elevated_token":"Yes","logon_information.logon_type":"3","logon_information.restricted_admin_mode":"-","logon_information.virtual_account":"No","logon_type":"3","network_information.source_network_address":"::1","network_information.source_port":"58959","network_information.workstation_name":"AGUIDA-NTB","new_logon.account_domain":"LAB.ARG","new_logon.account_name":"LABDC$","new_logon.linked_logon_id":"0x0","new_logon.logon_guid":"{0983c1c7-d6f6-e760-93ea-ed1c71613c68}","new_logon.logon_id":"0x16D316671","new_logon.network_account_domain":"-","new_logon.network_account_name":"-","new_logon.security_id":"S-1-5-18","process_information.process_id":"0x0","process_information.process_name":"-","subject.account_domain":"-","subject.account_name":"-","subject.logon_id":"0x0","subject.security_id":"S-1-0-0"}

Anything else we need to know?:
Nothing in particular.

[ngjaying]

@canob Use failed_logins_count_same_user.StartTime instead of failed_logins_count_same_user.StartTime. xxx will interprete as it is, so . will become part of the field name. It is used to escape keyword only/

[canob]

@canob Use failed_logins_count_same_user.StartTime instead of failed_logins_count_same_user.StartTime. xxx will interprete as it is, so . will become part of the field name. It is used to escape keyword only/

Hi @ngjaying
The problem with your suggestion is that sometimes I have field names with dots (I know, it is not ok that, but is the way that Fluentd construct the JSON of Windows Events...), like successful_logins.new_logon.account_name (successful_logins is the stream name), and in that cases, if I don't use ` at the beginning and at the end of the field name, is not working, is not appearing in the SELECT, :(

[ngjaying]

@canob You do not need to quote all the fields. You can use something like

streamName.`ns.var`

[canob]

@canob You do not need to quote all the fields. You can use something like

streamName.ns.var

@ngjaying I tried your suggestion before I opened the issue, but not on SELECT, instead on the ON of the JOIN, and if I don't put all between ` ` (the stream name and the field name with dots), the JOIN is not working, the rule is not firing. That was the reason that I assumed that then in the SELECT part I need to do the same. To Translate what I'm saying to an example:
This is working for the JOIN:

...
ON `failed_logins_count_same_user.account_for_which_logon_failed.account_name` = `successful_logins.new_logon.account_name`
AND `failed_logins_count_same_user.network_information.workstation_name` = `successful_logins.network_information.workstation_name`
...

And this is not working for the JOIN:

...
ON failed_logins_count_same_user.`account_for_which_logon_failed.account_name` = successful_logins.`new_logon.account_name`
AND failed_logins_count_same_user.`network_information.workstation_name` = successful_logins.`network_information.workstation_name`
...

So, I changed my SQL query with your suggestion, and now is working the SELECT of SQL query, but on ON of the JOIN, I need to stil put all between ` ` (the stream name and the field name with dots).
This is the final SQL query that is working:

SELECT from_unix_time(failed_logins_count_same_user.StartTime) AS failed_StartTime,
from_unix_time(failed_logins_count_same_user.EndTime) AS failed_EndTime,
failed_logins_count_same_user.EventRecordIDs AS failed_EventRecordIDs,
failed_logins_count_same_user.Total AS failed_TotalFailedLogins,
failed_logins_count_same_user.`failure_information.failure_reason` AS failed_FailureReason,
failed_logins_count_same_user.logon_type AS failed_LogonType,
successful_logins.TimeCreated AS successful_EndTime,
successful_logins.EventRecordID AS successful_EventRecordID,
successful_logins.`detailed_authentication_information.logon_process` AS successful_LogonProcess,
successful_logins.`logon_information.logon_type` AS successful_LogonType,
successful_logins.`new_logon.account_domain` AS UserDomain,
successful_logins.`new_logon.account_name` AS UserName,
successful_logins.`network_information.workstation_name` AS WorkstationName,
successful_logins.`network_information.source_network_address` AS NetworkAddress,
successful_logins.Computer AS Computer
FROM failed_logins_count_same_user INNER JOIN successful_logins
ON `failed_logins_count_same_user.account_for_which_logon_failed.account_name` = `successful_logins.new_logon.account_name`
AND `failed_logins_count_same_user.network_information.workstation_name` = `successful_logins.network_information.workstation_name`
GROUP BY TumblingWindow(ss, 60)

Thanks for your help!

[Yisaer]

Hi @canob, Could you explain the first rule (by following this document https://ekuiper.org/docs/en/latest/api/restapi/rules.html#query-rule-plan) in order to let us know the plan.

[canob]

@ngjaying , so, after additional testing, the ON part of the JOIN is not working at all, :(
If I use stream_name.`field.with.dots` in the SQL query, the rule not fire.
If I use `stream_name.field.with.dots`, the rule fire, but is incorrect, because for example join events where account_name and workstation name are not the same. Here is an example of the ouput of that JOIN to a file:

{"Computer":"LABDC.LAB.ARG","NetworkAddress":"fe80::d014:e53a:df15:54c0","UserDomain":"LAB.ARG","failed_EndTime":"2024-01-08 02:12:00","failed_EventRecordIDs":["8178512","8178513","8178514","8178515","8178516","8178517","8178518","8178519"],"failed_FailureReason":"Unknown user name or bad password.","failed_LogonType":"3","failed_StartTime":"2024-01-08 02:10:00","failed_TotalFailedLogins":8,"failed_UserName":"Administrator","failed_WorkstationName":"AGUIDA-NTB","successful_EndTime":"2024/01/08 02:11:53.990305400","successful_EventRecordID":"8178547","successful_LogonProcess":"Kerberos","successful_LogonType":"3","successful_UserName":"LABDC$","successful_WorkstationName":"-"}

And as you can see, successful_UserName is not equal to failed_UserName, and successful_WorkstationName is not equal to failed_WorkstationName, :(
Here is the SQL query rule:

SELECT from_unix_time(failed_logins_count_same_user.StartTime/1000) AS failed_StartTime,
from_unix_time(failed_logins_count_same_user.EndTime/1000) AS failed_EndTime,
failed_logins_count_same_user.EventRecordIDs AS failed_EventRecordIDs,
failed_logins_count_same_user.Total AS failed_TotalFailedLogins,
failed_logins_count_same_user.`failure_information.failure_reason` AS failed_FailureReason,
failed_logins_count_same_user.logon_type AS failed_LogonType,
successful_logins.TimeCreated AS successful_EndTime,
successful_logins.EventRecordID AS successful_EventRecordID,
successful_logins.`detailed_authentication_information.logon_process` AS successful_LogonProcess,
successful_logins.`logon_information.logon_type` AS successful_LogonType,
successful_logins.`new_logon.account_domain` AS UserDomain,
failed_logins_count_same_user.`account_for_which_logon_failed.account_name` AS failed_UserName,
successful_logins.`new_logon.account_name` AS successful_UserName,
failed_logins_count_same_user.`network_information.workstation_name` AS failed_WorkstationName, 
successful_logins.`network_information.workstation_name` AS successful_WorkstationName,
successful_logins.`network_information.source_network_address` AS NetworkAddress,
successful_logins.Computer AS Computer
FROM failed_logins_count_same_user INNER JOIN successful_logins
ON `failed_logins_count_same_user.account_for_which_logon_failed.account_name` = `successful_logins.new_logon.account_name`
AND `failed_logins_count_same_user.network_information.workstation_name` = `successful_logins.network_information.workstation_name`
GROUP BY TumblingWindow(ss, 60)

Any additional way to declare fields with dots in the ON part of the JOIN?

[ngjaying]

@canob stream_name.field.with.dots this just means a field with two dots. As in schema-less mode, this evaluates to nil. When using stream_name.field.with.dots, does it happen to have no equal condition met, thus no output.

[canob]

@canob stream_name.field.with.dots this just means a field with two dots. As in schema-less mode, this evaluates to nil. When using stream_name.field.with.dots, does it happen to have no equal condition met, thus no output.

So, the reason that I'm getting an output when I use `stream_name.field.with.dots` , even that is not correct, is because at the end the evaluation is nil = nil, and that is true, right?
I'm sure that that fields (user_name and workstation_name) are the same between both events in both streams, in a 60 seconds time window, but I'm going to double check that to see If I did a mistake.
Thanks for all your patience to help me.

[canob]

Hi @canob, Could you explain the first rule (by following this document https://ekuiper.org/docs/en/latest/api/restapi/rules.html#query-rule-plan) in order to let us know the plan.

Hi @Yisaer. Here is the rule-plan:

{"type":"ProjectPlan","info":"Fields:[ $$alias.failed_StartTime, $$alias.failed_EndTime, $$alias.failed_EventRecordIDs, $$alias.failed_TotalFailedLogins, $$alias.failed_FailureReason, $$alias.failed_LogonType, $$alias.successful_EndTime, $$alias.successful_EventRecordID, $$alias.successful_LogonProcess, $$alias.successful_LogonType, $$alias.UserDomain, $$alias.failed_UserName, $$alias.successful_UserName, $$alias.failed_WorkstationName, $$alias.successful_WorkstationName, $$alias.NetworkAddress, $$alias.Computer ]","id":0,"children":[1]}

   {"type":"JoinPlan","info":"Joins:[ { joinType:INNER_JOIN, binaryExpr:{ binaryExpr:{ failed_logins_count_same_user.account_for_which_logon_failed.account_name = successful_logins.new_logon.account_name } AND binaryExpr:{ failed_logins_count_same_user.network_information.workstation_name = successful_logins.network_information.workstation_name } } } ]","id":1,"children":[2]}

         {"type":"WindowPlan","info":"{ length:60, windowType:TUMBLING_WINDOW, limit: 0 }","id":2,"children":[3,4]}

               {"type":"DataSourcePlan","info":"StreamName: failed_logins_count_same_user, StreamFields:[ EndTime, EventRecordIDs, StartTime, Total, account_for_which_logon_failed.account_name, failure_information.failure_reason, logon_type, network_information.workstation_name ]","id":3,"children":null}

               {"type":"DataSourcePlan","info":"StreamName: successful_logins, StreamFields:[ Computer, EventRecordID, TimeCreated, detailed_authentication_information.logon_process, logon_information.logon_type, network_information.source_network_address, network_information.workstation_name, new_logon.account_domain, new_logon.account_name ]","id":4,"children":null}

And the rule content in this moment, after applied the suggested changes by @ngjaying , is this one:

SELECT from_unix_time(failed_logins_count_same_user.StartTime/1000) AS failed_StartTime,
from_unix_time(failed_logins_count_same_user.EndTime/1000) AS failed_EndTime,
failed_logins_count_same_user.EventRecordIDs AS failed_EventRecordIDs,
failed_logins_count_same_user.Total AS failed_TotalFailedLogins,
failed_logins_count_same_user.`failure_information.failure_reason` AS failed_FailureReason,
failed_logins_count_same_user.logon_type AS failed_LogonType,
successful_logins.TimeCreated AS successful_EndTime,
successful_logins.EventRecordID AS successful_EventRecordID,
successful_logins.`detailed_authentication_information.logon_process` AS successful_LogonProcess,
successful_logins.`logon_information.logon_type` AS successful_LogonType,
successful_logins.`new_logon.account_domain` AS UserDomain,
failed_logins_count_same_user.`account_for_which_logon_failed.account_name` AS failed_UserName,
successful_logins.`new_logon.account_name` AS successful_UserName,
failed_logins_count_same_user.`network_information.workstation_name` AS failed_WorkstationName, 
successful_logins.`network_information.workstation_name` AS successful_WorkstationName,
successful_logins.`network_information.source_network_address` AS NetworkAddress,
successful_logins.Computer AS Computer
FROM failed_logins_count_same_user INNER JOIN successful_logins
ON failed_logins_count_same_user.`account_for_which_logon_failed.account_name` = successful_logins.`new_logon.account_name`
AND failed_logins_count_same_user.`network_information.workstation_name` = successful_logins.`network_information.workstation_name`
GROUP BY TumblingWindow(ss, 60)

Thanks for your help.

[canob]

@canob stream_name.field.with.dots this just means a field with two dots. As in schema-less mode, this evaluates to nil. When using stream_name.field.with.dots, does it happen to have no equal condition met, thus no output.

So, the reason that I'm getting an output when I use stream_name.field.with.dots , even that is not correct, is because at the end the evaluation is nil = nil, and that is true, right? I'm sure that that fields (user_name and workstation_name) are the same between both events in both streams, in a 60 seconds time window, but I'm going to double check that to see If I did a mistake. Thanks for all your patience to help me.

Ok, so I finally understood what happened @ngjaying , after double check the events. My use case is a successful login after 5 failed logins, all of them from the same account name and from the same workstation name. The problem is the "closure" of the time window, that happen after the successful login (basically, I'm doing 6-7 failed logins, and immediately after that a successful login), and that was the reason because the rule was not firing using stream_name.`field.with.dots`.
If I wait 30-45 seconds after the last failed login, to produce a successful login, the rule is firing like expected.
Maybe the incorrect thought here is the type of windows that I'm using, tumbling window, and I need to think again about what is my best option of time window for my use case.
Again, thanks again for all your help and your patience with a newbie like me. Feel free to delete this post, or convert it into a Discussion maybe, if can help others.