About Queries

Use queries to identify the exact log records you want Cortex Data Lake to retrieve.
Queries are Boolean expressions that identify the log records Cortex Data Lake will retrieve for the specified log record type. You use them as an addition to the log record type and time range information that you are always required to provide. Use queries to narrow the retrieval set to the exact records you want.

Query Syntax

Specify queries using match statements. These statements can be either an equality or pattern matching expression. You can optionally combine these statements using the Boolean operators:
AND
or
OR
.
<match_statement> [<boolean> <match_statement>] ...
For example:
source_user LIKE 'paloalto*' AND action.value = 'deny'
A query can be at most 2048 characters long. The actual field name that you use for your filters are not identical to the names shown in the column header. Also, the data displayed in the log table might not always be the identical value you want to use in your queries. For example, the
BYTES
field shows values rounded to the nearest byte or kilobyte. To obtain the exact bytes_total value, use the add-to-search feature provided by the query builder.
The filter evaluates queries according to the standard order of precedence for logical operators. At this time, the filter does not support parentheses to change the order of evaluation.
It is an error to create a query with identical start and end times.
Expression Type
Definition
Numeric comparison
<field_name> <equality_operator> <value>
Equality operators are described below.
String comparison
<field_name> <equality_operator> '<value>'
Pattern matching
<field_name> LIKE '<string>%'
Pattern matching is supported only for fields that contain strings or IP addresses.
For strings and IP addresses, % may be provided as a wild card character at any location in the value. A pattern matching expression that does not provide a wild card returns the identical log lines as an equality comparison.
You must use single quotes with your string values: '<
value
>'. Double quotes are illegal: "<
value
>".

Supported Operators

When building a query, you can choose from a set of operators. The following table describes the operators supported by each data type:
Operator
Integers
Strings
=
x
x
!=
x
x
<>
(equivalent to
!=
)
x
x
>
x
<
x
>=
x
<=
x
LIKE
*
x
AND
x
x
OR
x
x
* LIKE is not supported for fields such as
action
,
tunnel
, or
proto
that have limited possible values.

About Field Names

The field names that you use in your queries are sometimes, but not always, identical to the names shown in the log record column headers. The field name that you must use is the log record field name as it is stored in Cortex Data Lake. There are two ways to obtain this field name:
  1. Click into the user interface query field to see a drop-down list of available field names for the selected log type. On the right-hand side of this drop-down list is the corresponding column name.
  2. The Explore Schema Reference guide provides a mapping of the log column name, as shown in the user interface, to the corresponding log record field name.

Recommended For You