Cortex Data Lake
    : About Queries
    Focus
    Download PDF
    Focus
    1. Home
    2. Security Operations
    3. Cortex Data Lake
    4. Cortex Data Lake
    5. Explore Logs
    6. About Queries
    Download PDF

    Cortex Data Lake

    About Queries

    Table of Contents

    About Queries

    Use queries to identify the exact log records you want
    Cortex Data Lake
     to retrieve.
    Queries are Boolean expressions that identify the log records
    Cortex Data Lake
     will retrieve for the specified log record type. You use them as an addition to the log record type and time range information that you are always required to provide. Use queries to narrow the retrieval set to the exact records you want.

    Query Syntax

    Specify queries using match statements. These statements can be either an equality or pattern matching expression. You can optionally combine these statements using the Boolean operators:
    AND
     or
    OR
    . 
    <match_statement> [<boolean> <match_statement>] ...
    For example:
    source_user LIKE 'paloalto%' AND action.value = 'deny'
    A query can be at most 4096 characters long. The actual field name that you use for your filters are not identical to the names shown in the column header. Also, the data displayed in the log table might not always be the identical value you want to use in your queries. For example, the
    BYTES
     field shows values rounded to the nearest byte or kilobyte. To obtain the exact bytes_total value, use the add-to-search feature provided by the query builder.
    The filter evaluates queries according to the standard order of precedence for logical operators. However, you can change the order of operations by grouping terms in parentheses.
    It is an error to create a query with identical start and end times.
    Expression Type
    Definition
    Numeric comparison 
    <field_name> <equality_operator> <value>
    Equality operators are described below.
    String comparison 
    <field_name> <equality_operator> '<value>'
    Pattern matching 
    <field_name> LIKE '<string>%'
    Pattern matching is supported only for fields that contain strings or IP addresses.
    For strings and IP addresses,
    %
     may be provided as a wild card character at any location in the value. A pattern matching expression that does not provide a wild card returns the identical log lines as an equality comparison.
    You must use single quotes with your string values: '<
    value
    >'. Double quotes are illegal: "<
    value
    >".

    Supported Operators

    When building a query, you can choose from a set of operators. The following table describes when to use each operator and lists its compatible values.
    Operator
    When to Use it
    Possible Values
    =
    Find logs that contain an exact value.
    • Integer
    bytes_total = 270
    • String
    action.value = 'allow'
    • IP addresses
    Full:
    src_ip.value = “192.1.1.10/32”
    Subnet Range:
    src_ip.value = “192.1.1.10/24”
    • Timestamp
    time_generated = '2022-03-29 12:57:14'
    != or <>
    Find logs that do not contain anexact value.
    • Integer
    bytes_total != 270
    bytes_total <> 270
    • String
    action.value != 'allow'
    action.value <> 'allow'
    • IP addresses
    Full:
    src_ip.value != “192.1.1.10/32”
    Subnet range:
    src_ip.value <> “192.1.1.10/24”
    • Timestamp
    time_generated != '2022-03-29 12:57:14'
    time_generated <> '2022-03-29 12:57:14'
    <
    Find logs with data less than a value.
    • Integer
    bytes_total < 270
    • Timestamp
    time_generated < '2022-03-29 12:57:14'
    <=
    Find logs with data less than or equal to a value.
    • Integer
    bytes_total <= 270
    • Timestamp
    time_generated <= '2022-03-29 12:57:14'
    >
    Find logs with data greater than a value.
    • Integer
    bytes_total < 270
    • Timestamp
    time_generated > '2022-03-29 12:57:14'
    >=
    Find logs with data greater than or equal to a value.
    • Integer
    bytes_total <= 270
    • Timestamp
    time_generated >= '2022-03-29 12:57:14'
    LIKE
    Find logs with data that matches a string pattern.
    LIKE
     is not supported for fields such as
    action
    ,
    tunnel
    , or
    proto
     that have limited possible values.
    • String
    source_user_info.name LIKE “usern_me”
    You can use either
    _
     or
    %
     as wildcard characters.
    AND
    Find logs that satisfy multiple search terms at once.
    • Any
    bytes_total = 270 AND
    source_user_info.name LIKE “usern_me” AND src_ip.value != “192.1.1.10/24”
    OR
    Find logs that satisfy at least one of multiple search terms.
    • Any
    bytes_total = 270 OR source_user_info.name LIKE “usern_me” OR src_ip.value != “192.1.1.10/24”
    ()
    Specify the priority in which search terms are evaluated.
    • Any
    bytes_total = 270 AND (source_user_info.name LIKE “usern_me” OR src_ip.value != “192.1.1.10/24”)

    About Field Names

    The field names that you use in your queries are sometimes, but not always, identical to the names shown in the log record column headers. The field name that you must use is the log record field name as it is stored in
    Cortex Data Lake
    . There are two ways to obtain this field name:
    1. Click into the user interface query field to see a drop-down list of available field names for the selected log type. On the right-hand side of this drop-down list is the corresponding column name.
    2. The Explore Schema Reference guide provides a mapping of the log column name, as shown in the user interface, to the corresponding log record field name.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.