Commands

A list of example query commands.

assert_empty

Description: assert_empty will be rendered as a green or red bar and can be used to express conditions that need to be verified in the Vantage dataset.

Examples:

links | where protocol == "telnet" | assert_empty

assert_not_empty

Description: assert_not_empty will be rendered as a green or red bar and can be used to express conditions that need to be verified in the Vantage dataset.

Examples:

links | where protocol == "iec104" | where minutes_ago(last_activity_time) < 5 | assert_not_empty

bucket

Usage: bucket <field> <range>

Description: bucket will interpret field as a numeric value and will group the data in multiples of range.

Examples:

alerts | bucket risk 3

column

Usage: column <value_field> <count_field> [option]

Description: column will render a column chart with value_field on the X axis and count_field on the Y axis.

Examples:

assets | group_by type | sort count desc | column type count

Options:

color: Change the color of the whole chart. The color must be provided in hex format.

Example: -color:7bc043

colors: Change the color of a single point in the chart that matches the provided label.

Arguments are a sequence of labels and colors in hex format all separated by a comma.

Example: -colors:dns,7bc043,modbus,f37736,iec104,ee4035

stops: Change the color of chart items based on their value.

Arguments are a sequence of values and colors in hex format all separated by a comma.

The respective color is applied when the value is <= to the actual value in the chart.

Example: -stops:3,7bc043,6,f37736,10,ee4035

count

Description: count returns the number of records in the dataset

Examples:

links | count

exclude

Usage: exclude <field1> ... <fieldN>

Description: exclude removes the specified fields from each record of the dataset.

Examples:

assets | exclude name zones nodes

expand

Usage: expand <array_field>

Description: Expands a record into multiple records where the original array_field is replaced by each single value in it.

Examples:

nodes | expand roles

gauge

Usage: gauge <field> [min] [max] [option]

Description: Outputs a numeric field drawn as a gauge from the first dataset row.

Examples:

alerts 
| where time > days_ago(7) 
| reduce risk avg 
| gauge round(risk_avg) -stops:3,7bc043,6,f37736,10,ee4035

Options:

color: Change the color of the whole chart. The color must be provided in hex format.

Example: -color:7bc043

stops: Change the color of chart items based on their value.

Arguments are a sequence of values and colors in hex format all separated by a comma.

The respective color is applied when the value is <= to the actual value in the chart.

Example: -stops:3,7bc043,6,f37736,10,ee4035

grid

Usage: grid <cols> <field1> ... <fieldN> [option]

Description: Outputs a grid with cols columns with the specified fields in every cell.

Examples:

alerts | group_by type_id | grid 4 type_id count
sites | group_by country avg(risk) | grid 4 country avg_risk -stops:3,7bc043,7,f37736,10,ee4035

Options:

color: Change the color of the whole chart. The color must be provided in hex format.

Example: -color:7bc043

colors: Change the color of a single point in the chart that matches the provided label.

Arguments are a sequence of labels and colors in hex format all separated by a comma.

Example: -colors:dns,7bc043,modbus,f37736,iec104,ee4035

stops: Change the color of chart items based on their value.

Arguments are a sequence of values and colors in hex format all separated by a comma.

The respective color is applied when the value is <= to the actual value in the chart.

Example: -stops:3,7bc043,6,f37736,10,ee4035

group_by

Usage: group_by <field1> [sum(<field2>)|avg(<field2>)]

Description: Groups the dataset by a field and calculates the count of each bucket. Optionally sum and avg (average) can be calculated for some other numeric fields.

Examples:

alerts | group_by type_id avg(risk) avg(severity) sum(risk)
nodes | group_by type

head

Usage: head [N]

Description: Takes the first N records from the dataset, if N is not specified takes the first 10 records.

Examples:

assets | head
alerts | head 200

history

Usage: history <value_field> <count_field> [option]

Description: history will render a line chart with value_field on the X axis and count_field on the Y axis.

Examples:

alerts 
| where time > days_ago(7) 
| bucket time 3600000 
| select bucket count 
| sort bucket asc 
| history bucket count

Options:

color: Change the color of the whole chart. The color must be provided in hex format.

Example: -color:7bc043

colors: Change the color of a single point in the chart that matches the provided label.

Arguments are a sequence of labels and colors in hex format all separated by a comma.

Example: -colors:dns,7bc043,modbus,f37736,iec104,ee4035

stops: Change the color of chart items based on their value.

Arguments are a sequence of values and colors in hex format all separated by a comma.

The respective color is applied when the value is <= to the actual value in the chart.

Example: -stops:3,7bc043,6,f37736,10,ee4035

join

Usage: join <external_table> <inner_field> <external_field>

Description: Joins two tables to create a new dataset where inner_table.inner_field is equal to external_table.external_field. The resulting dataset has all the fields from external_table prefixed with the <external_table>_ string. For example, a table joined with assets will contain the assets_name field. Joining the same table multiple times will produce columns prefixed with the <external_table>_ repeated the same time the table is joined. For example, the query links | join nodes from id | join nodes to id will contain nodes_id and nodes_nodes_id columns.

Examples:

vulnerabilities | join assets asset_id id
links | join nodes from id | join nodes to id
nodes | join assets name name | join links ip from

pie

Usage: pie <value_field> <count_field> [option]

Description: Renders a pie chart where the name of each slice is value_field and the slice is proportional to count_field.

Examples:

assets | group_by type | sort count desc | pie type count

Options:

color: Change the color of the whole chart. The color must be provided in hex format.

Example: -color:7bc043

colors: Change the color of a single point in the chart that matches the provided label.

Arguments are a sequence of labels and colors in hex format all separated by a comma.

Example: -colors:dns,7bc043,modbus,f37736,iec104,ee4035

stops: Change the color of chart items based on their value.

Arguments are a sequence of values and colors in hex format all separated by a comma.

The respective color is applied when the value is <= to the actual value in the chart.

Example: -stops:3,7bc043,6,f37736,10,ee4035

reduce

Usage: reduce <field> [sum|avg]

Description: reduce aggregates a numeric field by using the sum or avg functions and outputs a single number.

Examples:

alerts | reduce risk avg

select

Usage: select <field1> ... <fieldN> [option]

Description: select gives the possibility to restrict the fields in the dataset, to rename fields with the -> operator or to apply functions to fields.

Examples:

nodes | select name properties/http.server_version
nodes | select name->my_name
nodes | select days_ago(last_activity_time)
assets | select name tags -fit:width

Options:

fit: Choose how the table will fit the content, this option accepts two values:

width: the table will adapt to the width of the container, cells width will be equally distributed

content: the table will expand to fully show the content of every cell

Note: This option only has an effect only when used in the context of Dashboard/Report widgets.

sort

Usage: sort <field> [asc|desc]

Description: Sorts the dataset by a field. asc or desc can be specified to define the sorting order, by default the order is ascending.

Examples:

assets | sort level
alerts | sort risk desc

uniq

Usage: uniq <field1> ... <fieldN>

Description: Reduce the dataset by returning only the unique records by one or more fields.

Examples:

alerts | uniq type_id risk

value

Usage: value <field> [option]

Description: Outputs a numeric field as a big graphical number by taking it from the first row of the dataset.

Examples:

alerts | reduce risk avg | value round(risk_avg) -stops:3,7bc043,6,f37736,10,ee4035

Options:

color: Change the color of the whole chart. The color must be provided in hex format.

Example: -color:7bc043

stops: Change the color of chart items based on their value.

Arguments are a sequence of values and colors in hex format all separated by a comma.

The respective color is applied when the value is <= to the actual value in the chart.

Example: -stops:3,7bc043,6,f37736,10,ee4035

where

Usage: where <field1> [[==|!=|>=|>|<|<=|include?|!include?|exclude?|start_with?|!start_with?|end_with?|!end_with?|in_subnet?|in?|!in?|in_zones?] <field2>]

Description: Filters the dataset by a specified criterion. field1 and field2 can be strings, fields, numbers or function calls. Some operators are specific to certain data types: * in_subnet? requires a subnet in CIDR notation as the right operand * in? and !in? works with JSON arrays as the right operand * in_zones? works with tiered zones and requires a tiered zone name as the right operand

Examples:

nodes 
| select name properties/http.server_version 
| where !is_empty(properties.http.server_version)
nodes | where is_public
nodes | where ip in_subnet? "192.168.1.0/24"
nodes | where type in? ["computer","historian"]
nodes | where type == "computer" OR days_ago(last_activity_time) < 5
sensors | where !is_empty(tags)
nodes | join assets name name | where assets_tags include? "tag1"
alerts | where zone_src in_zones? "GlobalTieredZone"