Commands

assert_empty

Usage: When assert_empty is appended to a query, Vantage returns true if the dataset doesn’t contain records. If the dataset contains records, it returns or false.

Description: assert_empty is rendered as a green or red bar; use it to express conditions you want to verify in the Vantage dataset.

Examples:

links | where protocol == "telnet" | assert_empty

assert_not_empty

Usage: When assert_not_empty is appended to a query, Vantage returns true if the dataset contains records. If the dataset doesn’t contain records, it returns or false.

Description: assert_not_empty is rendered as a green or red bar; use it to express conditions you want to verify in the Vantage dataset.

Examples:

links | where protocol == "iec104" | where minutes_ago(last_activity_time) < 5 | assert_not_empty

bucket

Usage: bucket <field> <range>

Description: bucket interprets field as a numeric value and groups the data in multiples of range.

Examples:

alerts | bucket risk 3

count

Usage: When count is appended to a query, Vantage returns the number of records in the dataset.

Description: count returns the number of records in the dataset.

Examples:

links | count

column

Usage: column <value_field> <count_field>

Description: column renders a column chart with value_field on the X axis and count_field on the Y axis.

Examples:

assets | group_by type | sort count desc | column type count

exclude

Usage: exclude <field1> ... <fieldN>

Description: exclude removes the specified fields from each record of the dataset.

Examples:

assets | exclude name zones nodes

group_by

Usage: group_by <field1> [sum(<field2>)|avg(<field2>)]

Description: groups the dataset by a field and calculates the count of each bucket. Optionally sum and avg (average) can be calculated for some other numeric fields.

Examples:

alerts | group_by type_id avg(risk) avg(severity) sum(risk)

nodes | group_by type

head

Usage: head [N]

Description: Takes the first N records from the dataset, if N is not specified takes the first 10 records.

Examples:

assets | head

alerts | head 200

join

Usage: join <external_table> <inner_field> <external_field>

Description: joins two tables to create a new dataset where inner_table.inner_field is equal to external_table.external_field. The resulting dataset has all the fields from external_table prefixed with the <external_table>_ string. For example, a table joined with assets will contain the assets_name field.

Joining the same table multiple times will produce columns prefixed with the <external_table>_ repeated the same time the table is joined. For example, the query links | join nodes from id | join nodes to id will contain the nodes_id and the nodes_nodes_id columns.

Examples:

vulnerabilities | join assets asset_id id
links | join nodes from id | join nodes to id
nodes | join assets name name | join links ip from

pie

Usage: pie <value_field> <count_field>

Description: renders a pie chart where the name of each slice is value_field and the slice is proportional to count_field.

Examples:

assets | group_by type | sort count desc | pie type count

reduce

Usage: reduce <field> [sum|avg]

Description: reduce aggregates a numeric field by using the sum or avg functions and outputs a single number.

Examples:

alerts | reduce risk avg

select

Usage: select <field1> ... <fieldN>

Description: select lets you restrict the fields in the dataset, to rename fields with the -> operator, or to apply functions to fields.

Examples:

nodes | select name properties/http.server_version

nodes | select name->my_name

nodes | select days_ago(last_activity_time)

sort

Usage: sort <field> [asc|desc]

Description: Arranges the dataset by the specified field. Specify asc (ascending)or desc (descending) to define the sort order; the default order is ascending.

Examples:

assets | sort level

alerts | sort risk desc

uniq

Usage: uniq <field1> ... <fieldN>

Description: Reduce the dataset by returning only those records that have a unique value in the specified field.

Examples:

alerts | uniq type_id risk

value

Usage: value <field>

Description: Outputs a numeric field as a big graphical number by taking it from the first row of the dataset.

Examples:

alerts | reduce risk avg | value round(risk_avg)

where

Usage:

where <field1>
        [[==|!=|>=|>|<|<=|include?|!include?|start_with?|!start_with?|end_with?|!end_with?|in_subnet?|in?|!in?] <field2>]

Description: Filters the dataset by the specified criterion. field1 and field2 can be strings, fields, numbers, or function calls.

Examples:

nodes | select name properties/http.server_version | where !is_empty(properties.http.server_version)

nodes | where is_public

nodes | where ip in_subnet? "192.168.1.0/24"

nodes | where type in? ["computer","historian"]

nodes | where type == "computer" OR days_ago(last_activity_time) < 5

The following operators are specific to these data types:

in_subnet? requires a subnet in classless inter-domain routing (CIDR) notation as its right operand.
in? and !in? use JavaScript Object Notation (JSON) arrays as their right operand.