Skope IT Query Language
Skope IT Query Language
This topic describes how to define and execute a search using the advanced search operations. Click the Query Mode button on any of the Skope IT pages.
Enter a query into the search field at the top of the web page. A list of values appear after entering the field and operator. For example, entering
app eq micro opens a list of all apps with
micro in the name. The following section provides specific usage examples for all the possible operations.
There are five types of events. They are application, page, audit, infrastructure, and alert event types.
The alert event type is only available on the Skope IT > Alerts page.
Query language search entries consists of simple terms, groups, and Boolean operators. A simple query has the form
appis the name of one of the Application fields
opis one of:
~in case of string fields.
,in case of numeric fields.
valueis a string or numeric value.
It can also be
field from value1 to value2, for example,
user from aaa to zzz, or
timestamp from 1607990400 to 1610158997 (in Epoch Time format).
Simple terms can be combined with Boolean operators. For example:
field1 eq value1 and field2 lte value2, not (field1 eq value1), field1 eq value1 or not (field2 lte value2).
Terms can be grouped by using parenthesis around them to override precedence. For example:
(field1 eq value1 or field2 eq value2) and
(field3 eq value3).
"=="– The Equal To operator compares the field with value. This operator does a case sensitive comparison.
"!="– The Not Equal To operator returns all events where the field does not equal to the value. This operator does a case sensitive comparison.
">"– The Greater Than operator works only on numeric fields such as count.
"<"– The Less Than operator works only on numeric fields such as count.
"gte"– The Greater Than Equal To or Less Than Equal To operators are also available for comparison.
"not"– The Not operator negates the result of the expression to the right. For example,
"not (count = 0)".
“in”– The In operator checks if the value of the field is a member of the given value list.
“~”– The ‘like’ operator is used to list all the events that contains the specified pattern in the field. For example, a user like John would match for email@example.com or John@xyz.com or brjohn. The ‘like’ operator is not case sensitive.
"~"operator is performance intensive. It’s recommended to use this operator only while searching for events that contains a specified string.
Refer to Skope IT Queries Library for details about specific search queries.