Home
Guardian
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Queries
Queries
You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
Examples
Complex field types

Guardian
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
  - Alerts
  - Assets
  - Queries
    - Queries
      You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
      - Data sources
      - Basic operators
      - Commands
      - Functions
      - Examples
        Pie chart
        An example on how to create a pie chart to understand the media access control (MAC) vendor distribution in a network.
        Column chart
        An example on how to create a column chart with the top nodes by traffic.
        Where with multiple conditions in OR
        An example of a query to get all the nodes with a specific role, in particular all the nodes which are web or domain name server (DNS) servers.
        Bucket and history
        An example of a query to calculate the distribution of link events towards an internet protocol (IP) address.
        Join
        An example query to join two data sources to obtain a new data source with more information. In particular, how to list the links with the labels for the source and destination nodes.
        Compute the availability history
        An example query to compute the availability history for a link.
        Complex field types
  - Smart Polling
  - Arc
  - Network
  - Process
  - Reports
  - Assertions
  - Time machine
  - Vulnerabilities
  - Administration
  - Personal settings
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Complex field types

Single scalar values

To query single scalar values, apply the commands that are explained in this section.

Objects

Objects show in braces: {object}

{
"source": "ARP",
"likelihood": 1,
"likelihood_level": "confirmed"
}

An example on how to query only confirmed media access control (MAC) addresses.

Note: Possible values are:

confirmed
likely
not confirmed

Since mac_address:info is an object, you can access subfields like mac_address:info.likelihood_level to apply the where condition:

nodes | select mac_address:info mac_address:info.likelihood_level | where mac_address:info.likelihood_level == confirmed

Since N2OS 24.1 is possible to access complex objects with a different syntax that is compatible with Vantage, using the / operator, the query specified above becomes:

nodes | select mac_address:info/likelihood_level | where mac_address:info.likelihood_level == "confirmed"

Note that also the "confirmed" literal can now be quoted and the query can be executed in Vantage without any change.

Arrays

Note: For example, a parent in the alerts table.

Arrays show in braces: {array}

[
"5b867836-2b41-4c15-ab6f-4ae5f0251e30"
]

An example on how to only query alerts that have a parent incident, with a known incident id with the value: d36d0

Since the parents field is an array, you can use expand first to get an entry for each parent, then apply your condition:

alerts | expand parents | where expanded_parents include? d36d0

Object arrays

Note: For example, function_codes in the links table.

Object arrays are a combination of the above examples. Therefore, they show an object included in a [{..},{..},.. ] :

[
{
"name": "M-SEARCH",
"is_learned": true,
"is_fully_learned": true
}
]

An example on how to query learned function codes.

Since function_codes is an object array, you can use expand first, to get an entry for each function code, then use the . operator (function_code.is_learned) to apply your where condition:

links | select from to protocol function_codes | expand function_codes | where expanded_function_codes.is_learned == true