Analyzer SQL Query:

Hello, i try to write a Report Query with a where clause for the "action" field, if action is only in the "SELECT", "GROUP BY" and "ORDER BY" statement everything works as expected, but if i add the action field to the "WHERE" clause it does not work.

The following query does not work, commenting out the "AND action like 'deny'" row will make it work, can somebody explain this behavior to me??

I am using "traffic" log type source.

SELECT srcip, dstip, action FROM $log as l WHERE $filter AND policyid=0 AND action like 'deny' GROUP BY ( srcip, dstip, action ) ORDER BY srcip, dstip