Athena User Guide¶
All alerts generated by StreamAlert will be sent to an
alerts S3 bucket via Firehose. These will then be searchable within Athena.
To get started with querying of this data, navigate to the AWS Console, click Services, and type ‘Athena’.
When the service loads, switch the
DATABASE option in the dropdown to
To view the schema of the
alerts table, click the eye icon:
To make a query, type a SQL statement in the Query Editor, and click Run Query:
The query shown above will show the most recent 10 alerts.
Data is partitioned in the following format
An example is
To increase query performance, filter data within a specific partition or range of partitions.
With StreamAlert tables, the date partition is the
As an example, the query below counts all alerts during a given minute:
For additional guidance on using SQL, visit the link under Concepts.