- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Query Using Advanced Query Language Operators
In Exabeam advanced query language, a number of operators are available for creating complex queries that can be used in the Search service. A search using advanced operators must contain at least one SELECT or one WHERE clause. Other operators and clauses are optional, but when in use they must be placed in a specific order:
[SELECT clause] [WHERE clause] [GROUP-BY clause] [ORDER-BY clause] [LIMIT clause]
The sections below provide a small table of sample log data and descriptions of the available operators with syntax examples.
Sample Log Data for Syntax Examples
The sections in Available Operators include syntax examples for the use of each operator. For the sake of simplicity, the examples will be based on the following table of sample log data.
id | activity | vendor | product |
|---|---|---|---|
76734bee-54dc-4fdd-95dd-801028d3873 | login | microsoft | azure |
b54ca959-e24d-4516-be69-ac81b68ff4c3 | logout | apple | iphone |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 | login | microsoft | xbox |
2d0132f1-e27a-4a51-9a4f-0949cf495d6c | logout | exabeam | correlation-engine |
Available Operators
Expand each of the sections below to view information about advanced query language operators that are available for constructing complex queries in Search. The syntax examples are based on the table of sample log data in the section above.
Use to select a set of fields, from the event store, to be included in an output table.
Note
In specific cases, when a SELECT clause is used, search results are output in a format that is not compatible with the standard results list view. They cannot be displayed in the list view and are instead displayed in a table view.
Specifically, when an asterisk (*) is not used in the SELECT clause, it indicates that only the specified fields are of interest and the results are returned in a table view. However, if an asterisk (*) is used in the SELECT clause, it indicates that all the fields should be returned and the results are displayed in the standard list view. The list view is also disabled for any query that includes aggregation functions.
Examples:
SELECT vendor– Results display in a table viewSELECT subject, COUNT(vendor) GROUP-BY subject– Results display in a table viewSELECT *,vendor– Results display in a list viewSELECT *,RGX_EXTRACT(...) – Results display in a list view
Syntax Example 1: SELECT id
Outputs a table with only the id column displayed.
id |
|---|
76734bee-54dc-4fdd-95dd-801028d3873 |
b54ca959-e24d-4516-be69-ac81b68ff4c3 |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 |
2d0132f1-e27a-4a51-9a4f-0949cf495d6c |
Syntax Example 2: SELECT activity, vendor
Outputs a table with only the activity and vendor columns displayed.
avtivity | vendor |
|---|---|
login | microsoft |
logout | apple |
login | microsoft |
logout | exabeam |
Syntax Example 3: SELECT *
Outputs a table with all columns displayed.
Use within a SELECT clause to create an alias for a selected field or for a set of results (table aliasing). An alias can be useful for referring to a calculated field or for reusing a set of results in a subsequent query. It can make results more readable and easier to use in further filtering.
Tip
The following list of reserved keywords cannot be used as aliases:
abort, all, and, any, array, as, asc, assert_rows_modified, at, between, by, case, cast, collate, contains, create, cross, cube, current, default, define, desc, distinct, else, end, enum, escape, except, exclude, exists, extract, false, fetch, following, for, from, full, group, grouping, groups, hash, having, if, ignore, in, inner, intersect, interval, into, is, join, lateral, left, like, limit, lookup, merge, natural, new, no, not, null, nulls, of, offset, on, or, order, outer, over, partition, preceding, proto, range, recursive, respect, right, rollup, rows, select, set, some, struct, tablesample, then, to, treat, true, unbounded, union, unnest, using, when, where, window, with, within
Syntax Example 1: SELECT activity AS aliased_activity
Outputs the activity column with the alias name.
aliased_activity |
|---|
login |
logout |
login |
logout |
Syntax Example 2: SELECT vendor AS aliased_vendor, product AS aliased_product
Outputs the vendor and product columns with the alias names.
aliased_vendor | aliased_product |
|---|---|
microsoft | azure |
apple | iphone |
microsoft | xbox |
exabeam | correlation-engine |
Syntax Example 3: WHERE vendor:"Microsoft" AS aliased_table
Outputs the filtered results, where vendor = Microsoft, in a new aliased table.
id | activity | vendor | product |
|---|---|---|---|
76734bee-54dc-4fdd-95dd-801028d3873 | login | microsoft | azure |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 | login | microsoft | xbox |
Use to specify filter conditions to narrow down the result set. A simple search query without the SELECT and WHERE clause is treated implicitly as a WHERE statement. For example, the following two queries return the same results:
Syntax Example 1: WHERE vendor:"Microsoft"
Syntax Example 2: vendor:"Microsoft"
id | activity | vendor | product |
|---|---|---|---|
76734bee-54dc-4fdd-95dd-801028d3873 | login | microsoft | azure |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 | login | microsoft | xbox |
Used to sort the resulting set in ascending (ASC) or descending (DESC) order.
Syntax Example: ORDER-BY product ASC
Output the results sorted by the values in the product column, in ascending order.
id | activity | vendor | product |
|---|---|---|---|
76734bee-54dc-4fdd-95dd-801028d3873 | login | microsoft | azure |
2d0132f1-e27a-4a51-9a4f-0949cf495d6c | logout | exabeam | correlation-engine |
b54ca959-e24d-4516-be69-ac81b68ff4c3 | logout | apple | iphone |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 | login | microsoft | xbox |
Use to group rows of results that have the same values into summary rows. Can be used with aggregation functions to group the result set by one or more columns.
Syntax Example: GROUP-BY vendor
Outputs a row for each vendor value.
vendor |
|---|
microsoft |
apple |
exabeam |
Use to limit the number of rows returned in the result set.
Note
When no limit is defined, Search can return an unlimited number of results, but only the first 500 rows are displayed in the user interface. However, for API usage, Search defaults to a maximum of 3000 results.
Syntax Example: limit 3
Outputs only the first three rows of results.
id | activity | vendor | product |
|---|---|---|---|
76734bee-54dc-4fdd-95dd-801028d3873 | login | microsoft | azure |
b54ca959-e24d-4516-be69-ac81b68ff4c3 | logout | apple | iphone |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 | login | microsoft | xbox |
Use to separate clauses in a query statement. The pipe operator feeds the result set from an initial clause into the next clause. In more complex queries, the pipe operator can be used to chain together a sequence of query statements. You can use up to five pipe operators to chain together six query statements.
Avoid using the pipe operator in basic queries where an AND operator or WHERE clause can be used just as effectively. Reserve the use of pipe operators for cases where you want to act on the results of the base query, such as grouping or other aggregate functions.
Note
Limitations
The pipe operator can only be used for queries that include a date range of up to seven day.
The pipe operator can be used up to an enforced quota of 1,000 queries per month.
Syntax Example:
SELECT product, AVG(raw_log_size) AS avgLogSize GROUP-BY product ORDER-BY avgLogSize DESC | avgLogSize > 2000
The clauses to the left of the pipe operator produce a table of products which lists the average log size that each handles. The log sizes are listed in a new avgLogSize column, in descending numerical order by log size. The clause to the right of the pipe operator filters the table to show only those rows where the average log size is greater than 2000.
 |
Use to run a search function on every row of a results set returned by a previous query or by an earlier clause in a complex, pipe-separated (|) query.
Keep in mind the following points for building queries that include a FOREACH clause:
A FOREACH clause can only be used after a preceding query that has produced a result set.
A FOREACH clause must be used in its own pipe-separated clause.
ORDER-BY and GROUP-BY are not supported in the same pipe clause as FOREACH.
LIMIT is supported for use in the same pipe clause as FOREACH.
Syntax Example: id: "76734bee-54dc-4fdd-95dd-801028d3873" | FOREACH vendor [vendor: @vendor]
The first clause returns rows with the specified ID. After the pipe operator, the FOREACH clause selects the value of the vendor column in the results from the ID match, which in this case = microsoft. In the subsequent search, [vendor: @vendor] is treated as a WHERE clause that searches a newly-defined shard table for each result where the vendor value = microsoft. The resulting output is the following table:
id | activity | vendor | product |
|---|---|---|---|
76734bee-54dc-4fdd-95dd-801028d3873 | login | microsoft | azure |
9fde43fd-d499-4f7d-834a-4ee5fbdd3217 | login | microsoft | xbox |
Complex Syntax Example:
subject: "endpoint" | FOREACH dest_host [ select src_host WHERE src_host: @dest_host AND subject: "network" AND activity_type: "network-connection" ] | SELECT src_host, count(src_host) AS src_host_count GROUP-BY src_host
This complex example is explained in the color coded image below.
 |
This search outputs a table that lists the count of each src_host that matched the query criteria, as shown in the image below.
 |