Home
Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
User Guide
Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
Queries
You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
Functions

Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
  - Sensors
    The Sensors page lets you view all of the sensors that you have in your system.
  - Alerts
    The Alerts page shows all the latest alerts in the system. It lets you view the alerts in different modes, and carry out actions on the alerts.
  - Assets
    The Assets page shows all the physical components and systems in the local network environment and their associated details. It also lets you perform actions on those assets. Depending on the nodes and components involved, assets can range from a simple personal computer to an operational technology (OT) device.
  - Queries
    You can use the Nozomi Networks Query Language (N2QL) syntax to create complex data processes to obtain, filter, and analyze lists of information from the Nozomi Networks software.
  - Smart Polling in Guardian
    The Smart Polling page lets you view and manage Smart Polling.
  - Arc in Guardian
    Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
  - Network
    The Network page gives you access to multiple pages that show nodes, links, sessions in tabular format and graphs and traffic in a graphical format.
  - Process
    Process is a set of repeatable functions that a business does to deliver a core value.
  - Reports
    The Reports page lets you manage, generate, schedule and view reports.
  - Assertions
    The Assertions page shows all the assertions and lets you configure them.
  - Time machine
    Time machine lets you load a snapshot, which is a previously saved state, and go back in time, to analyze the data from a past situation. You can load a single snapshot and use the platform as usual or load two snapshots and compare the user interface to highlight changes.
  - Vulnerabilities
    The Nozomi Networks software continuously discovers vulnerabilities in monitored assets.
  - Administration
  - Personal settings
    The personal settings page lets you do actions that are specific to your profile.
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Functions

Functions are always used in conjunction with other commands, such as select. In the following examples, functions are shown in bold:

Combining functions with select: nodes | select id type color(type)
Combining functions with where: nodes | where size(label) > 10
Combining functions with group_by: nodes | group_by size(protocols)

Here is the complete list of functions:


Syntax	`abs(<field>)`
Parameters	the field on which to calculate the absolute value
Description	The abs function returns the absolute value of the field


Syntax	`bitwise_and(<numeric_field>,<mask>)`
Parameters	numeric_field: the numeric field on which apply the mask mask: a number that will be interpreted as a bit mask
Description	The bitwise_and function calculates the bitwise & operator between the numeric_field and the mask entered by the user


Syntax	`coalesce(<field1>,<field2>,...)`
Parameters	a list of fields or string literals in the format "<chars>"
Description	The coalesce function will output the first value that is not null


Syntax	`color(<field>)`
Parameters	field: the field on which to calculate the color
Description	The color function generates a color in the rgb hex format from a value
Note	Only available for nodes, links, variables and function_codes


Syntax	`concat(<field1>,<field2>,...)`
Parameters	a list of fields or string literals in the format "<chars>"
Description	The concat function will output the concatenation of the input fields or values


Syntax	`date(<time>)`
Parameters	time defined as unix epoch
Description	The date function returns a date from a raw time


Syntax	`day_hour(<time_field>)`
Parameters	time_field: the field representing a time
Description	The day_hour function returns the hour of the day plus the sensor's local time offset from UTC, i.e. a value in the range 0 through 23. Be careful when accounting for daylight saving time. Use day_hour_utc when absolute precision is desired


Syntax	`day_hour_utc(<time_field>)`
Parameters	time_field: the field representing a time
Description	The day_hour_utc function returns the hour of the day expressed in UTC for the current time field, i.e. a value in the range 0 through 23


Syntax	`days_ago(<time_field>)`
Parameters	time_field: the field representing a time
Description	The days_ago function returns the amount of days passed between the current time and the time field value


Syntax	`dist(<field1>,<field2>)`
Parameters	the two fields to compute the distance on
Description	The dist function returns the distance between field1 and field2, which is the absolute value of their difference


Syntax	`div(<field1>,<field2>)`
Parameters	field1 and field2: the two field to divide
Description	The div function will calculate the division field1/field2


Syntax	`hours_ago(<time_field>)`
Parameters	time_field: the field representing a time
Description	The hours_ago function returns the amount of hours passed between the current time and the time field value


Syntax	`is_empty(field) == true \| false`
Parameters	field: the field to check to evaluate whether it is empty or not
Description	The is_empty command takes a field as input and returns only the entries that are either empty / not empty.
Example	nodes \| where is_empty(label) == false


Syntax	`is_recent(<time_field>)`
Parameters	time_field: the field representing a time
Description	The is_recent function takes a time field and returns true if the time is not farther than 30 minutes


Syntax	`minutes_ago(<time_field>)`
Parameters	time_field: the field representing a time
Description	The minutes_ago function returns the amount of minutes passed between the current time and the time field value


Syntax	`mult(<field1>,<field2>,...)`
Parameters	a list of fields to multiply
Description	The mult function returns the product of the fields passed as arguments


Syntax	`round(<field>,[precision])`
Parameters	field: the numeric field to round precision: the number of decimal places
Description	The round function takes a number and outputs the rounded value


Syntax	`seconds_ago(<time_field>)`
Parameters	time_field: the field representing a time
Description	The seconds_ago function returns the amount of seconds passed between the current time and the time field value


Syntax	`split(<field>,<splitter>,<index>)`
Parameters	field: the field to split splitter: the character used to separate the string and produce the tokens index: the 0 based index of the token to output
Description	The split function takes a string, separates it and outputs the token at the <index> position


Syntax	`sum(<field>,...)`
Parameters	a list of fields to sum
Description	The sum function returns the sum of the fields passed as arguments