Home
CMC
User Guide
Information and resources about the main features of the Central Management Console (CMC), and the tasks that you can do from the user interface (UI).
Queries
Queries
You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
Commands

CMC
- Introduction
  An overview of the Central Management Console (CMC).
- Installation Guide
  Information and resources on how to install the Central Management Console (CMC), and the different options and settings available.
- Administrator Guide
  Information and resources about the Administration section of the Central Management Console (CMC), and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of the Central Management Console (CMC), and the tasks that you can do from the user interface (UI).
  - Sensors
  - Alerts
  - Assets
  - Queries
    - Queries
      You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
  - Smart Polling
  - Arc
  - Reports
  - Assertions
  - Vulnerabilities
  - Administration
  - Personal settings
  - Troubleshooting
- Maintenance Guide
  Information about the maintenance tasks of Central Management Console (CMC), to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for the Central Management Console (CMC).

Commands


Syntax	`select <field1> <field2> ... <fieldN>`
Parameters	the list of field(s) to output
Description	The select command takes all the input items and outputs them with only the selected fields


Syntax	`exclude <field1> <field2> ... <fieldN>`
Parameters	the list of field(s) to remove from the output
Description	The exclude command takes all the input items and outputs them without the specified field(s)


Syntax	where <field> <==\|!=\|<\|>\|<=\|>=\|in?\|include?\|start_with?\|end_with?\|in_subnet?> <value>
Parameters	field: the name of the field to which the operator will be applied operator value: the value used for the comparison. It can be a number, a string, or other data type. Advanced operators can use other data types, such as: a list (using JSON syntax) when using the in? operator, for example: `nodes \| where ip in? ["172.18.41.44"]` another property when using the '$' symbol, for example: `nodes \| where ip != $id`
Description	The where command will send to the output only the items which fulfill the specified criterion, many clauses can be concatenated using the boolean OR operator
Example	`nodes \| where roles include? consumer OR zone == office` `nodes \| where ip in_subnet? 192.168.1.0/24` `<value>` can also be another `<field>`, as in: `links \| where from_zone == $to_zone \| select from_zone to_zone`


Syntax	`sort <field> [asc\|desc]`
Parameters	field: the field used for sorting asc\|desc: the sorting direction
Description	The sort command will sort all the items according to the field and the direction specified, it automatically understands if the field is a number or a string


Syntax	`group_by <field> [ [avg\|sum] [field2] ]`
Parameters	field: the field used for grouping avg\|sum: if specified, the relative operation will be applied on field2
Description	The group_by command will output a grouping of the items using the field value. By default the output will be the count of the occurrences of distinct values. If an operator and a field2 are specified, the output will be the average or the sum of the field2 values


Syntax	`head [count]`
Parameters	count: the number of items to output
Description	The head command will take the first count items, if count is not specified the default is 10


Syntax	`uniq [<field1> <field2> ... <fieldN>]`
Parameters	an optional list of fields on which to calculate the uniqueness
Description	The uniq command will remove from the output the duplicated items


Syntax	`expand <field>`
Parameters	field: the field containing the list of values to be expanded
Description	The expand command will take the list of values contained in field and for each of them it will duplicate the original item substituting the original field value with the current value of the iteration


Syntax	`expand_recursive <field>`
Parameters	field: the field to be recursively expanded
Description	The expand_recursive command will recursively parse the content of field, expanding each array or json structure until a scalar value is found. It generates a new row for each array element or json field. For each new row, it duplicates the original item substituting the original field value with the current value of the iteration and adding a new field that represents the current iteration path from the root


Syntax	`sub <field>`
Parameters	field: the field containing the list of objects
Description	The sub command will output the items contained in field


Syntax	`count`
Parameters
Description	The count command outputs the number of items


Syntax	`pie <label_field> <value_field>`
Parameters	label_field: the field used for each slice label value_field: the field used for the value of the slice, must be a numeric field
Description	The pie command will output a pie chart according to the specified parameters


Syntax	`column <label_field> <value_field ...>`
Parameters	label_field: the field used for each column label value_field: one or more field used for the values of the columns
Description	The column command will output a histogram; for each label a group of columns is displayed with the value from the specified value_field(s). The variant `column_colored_by_label` returns bars of different colors depending on their labels.


Syntax	`history <count_field> <time_field>`
Parameters	count_field: the field used to draw the Y value time_field: the field used to draw the X points of the time series
Description	The history command will draw a chart representing an historic series of values


Syntax	`distance <id_field> <distance_field>`
Parameters	id_field: the field used to tag the resulting distances. distance_field: the field on which distances are computed among entries.
Description	The distance command calculates a series of distances (that is, differences) from the original series of `distance_field`. Each distance value is calculated as the difference between a value and its subsequent occurrence, and tagged using the id_field. For example, assuming we're working with an id and a time field, entering alerts \| distance id time returns a table where each distance entry is characterised by the from_id, to_id, and time_distance fields that represent time differences between the selected alerts.


Syntax	`bucket <field> <range>`
Parameters	field: the field on which the buckets are calculated range: the range of tolerance in which values are grouped
Description	The bucket command will group data in different buckets, different records will be put in the same bucket when the values fall in the same multiple of <range>


Syntax	`join <other_source> <field> <other_source_field>`
Parameters	other_source: the name of the other data source field: the field of the original source used to match the object to join other_source_field: the field of the other data source used to match the object to join
Description	The join command will take two records and will join them in one record when <field> and <other_source_field> have the same value


Syntax	`gauge <field> [min] [max]`
Parameters	field: the value to draw min: the minimum value to put on the gauge scale max: the maximum value to put on the gauge scale
Description	The gauge command will take a value and represent it in a graphical way


Syntax	`value <field>`
Parameters	field: the value to draw
Description	The value command will take a value and represent it in a textual way


Syntax	`reduce <field> [sum\|avg]`
Parameters	field: the field on which the reduction will be performed sum or avg: the reduce operation to perform, it is sum if not specified
Description	The reduce command will take a series of values and calculate a single value


Syntax	size()
Parameters	field: the field to calculate the size of
Description	If the field is an array, then the size function returns the number of entries in the array. If the field contains a string, then the size function returns the number of characters in the string. Note: The size function may only be used on the following data sources: alerts, assets, captured_files, links, nodes, packet_rules, sessions, stix_indicators, subnets, variables, yara_rules, zones, and zone_links.
Example:	`assets \| where size(ip) > 1`