Query Builder

In Data Explorer, the Query Builder interface allows you to build a query in modular steps. To create a valid query, you must create one or more rules.

A rule is a conditional statement that defines a dataset. A rule consists a Data Explorer field, an operator, and one or more values. A simple query has only one rule, whereas a complex query is a combination of two or more rules.

With complex operators, you can organize rules in various ways. For example:
  • You can combine two or more rules.
  • You can use nested groups to define a set of rules and then combine multiple groups.
  • You can combine rules and nested groups.
For more information, see:

Simple operators

Simple operators allow you to create rules. A rule consists of a Data Explorer field, one or more values, and an operator that allows you to filter data.

Note: The list of available operators depend on the fields that you select. For more information, see Data Explorer fields.
Operators Description
= Is equal to the single value that you specify.
!= Is not equal to the single value that you specify.
< Is less than the single value that you specify.
<= Is less than or equal to the single value that you specify.
> Is greater than the single value that you specify.
>= Is greater than or equal to the single value that you specify.
exists Is not an empty Data Explorer field.
in Is found in a set of values that you specify.
not in Is not found in a set of values that you specify.

Complex operators

Complex operators allow you to combine rules.

Operator Description

+ Rule

Add a rule at the current level.

+ Nested Group
Add a subordinate group of rules. Rules in a nested group are evaluated separately from their parent query. The results are used for the parent query.
Note: A nested group with a single rule is the same thing as adding a single rule. It does not add a separate operator to the parent group. To use multiple operators, you must use multiple nested groups.

AND | OR

 Combine rules at the same level using the AND or OR Boolean operator, where:

  • If AND is used — A result appears only if all rules in the group are true.

  • If OR is used — A result appears if any of the rules in the group are true.

Example query

This query is an example of a search for suspicious events pertaining to certain URLs or file paths, while excluding a specific event from users that you expect to see those events from.
Note: The example query is for informational use only. It has not been tested to work in all environments. For practical examples that can be used in custom dashboards, see Example widgets.

Example query with two nested groups.

This query can also be expressed as:

CODE 
(user.name in <admin1>, <admin2> AND event.reason = event_reason) AND (file.path = <file_path> OR url.domain = <url>) AND event.severity >= 5
This query returns results that:
  • Contain both:
    • A user.name of either admin1 or admin2.
    • An event.reason of event_reason.
  • Contain either:
    • A file.path of file_path.
    • A url.domain of url.
  • Have an event.severity value greater than or equal to 5.