Search syntax

The Requests page lists individual requests that have been tagged with signals and that fit into the all or sampled data storage category. You can use the search bar and filter menus to narrow this list.

Filter menus

You can select values from the filter menus to find requests that meet specific criteria. Selected values auto-populate in the search bar where you can further modify the query. Filter options include:

  • Time: filters the requests list based on when the requests were sent. For example, when 2 hours is selected, only requests that were made in the last two hours appear on the page.
  • Attack signals: filters the requests list based on the attack signals that requests are tagged with. For example, when Attack Tooling is selected, only requests tagged with the Attack Tooling signal appear on the page.
  • Anomaly signals: filters the requests list based on the anomaly signals that requests are tagged with. For example, when Address Changed is selected, only requests tagged with the Address Changed signal appear on the page.
  • Response codes: filters the requests list based on the response codes associated with requests. For example, when 404 is selected, only requests with a 404 response code appear on the page.

You can enter free-text and explicit queries into the search bar to find requests that meet specific criteria. Explicit queries follow the <key><operator><value> syntax, where:

  • the key is the field to search upon.
  • the operator defines the relationship of the key to the value.
  • the value is the specific value used to filter the requests list.

Example free-text and explicit queries are as follows:

Free-text queryExplicit queryDescription
/a/path/here sqli -7hpath:/a/path/here sqli from:-7hShow all SQLI in last 7 hours with this particular path
RUcountry:ruAll recent requests from Russia
cn 500country:cn httpcode:500All recent requests from China that had a 500 error
404 ip: requests from an IP that had a 404 error


The keys that you can search on are as follows:

agentstringThe server hostname (or alias) for the agent (agent:~hostname, agent:~appname, agent:hostname.appname, or agent:hostname-appname)
agentcodeintegerThe agents internal response code
bytesoutintegerHTTP response size in bytes
countrystringRequest estimated country of origin (e.g., US, RU)
fromtimeFilter output with requests since a particular date
httpcodeintegerThe response's http response code
ipstringSingle IPv4 (ip:
Single IPv6 (ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225)
IPv4 CIDR (ip:
IPv6 CIDR (ip:2001:0db8:1681:f16f::/64)
IPv4 range (ip:
IPv6 range (ip:2001:0db8:1681:f16f:: through 2001:0db8:1681:f16f:ffff:ffff:ffff:ffff)
ja3stringJA3 fingerprint
methodstringHTTP Method (e.g., GET, POST)
pathstringRequest URL path, does not include query parameters
payloadstringThe data that triggered a signal (i.e., the attack value)
protocolstringHTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0
ratelimitedstringRequests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal>. You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for.
responsemillisintegerHTTP response time in milliseconds
remotehoststringRemote hostname ( or subdomain match (
serverstringRequested server name in the http request (e.g., if
tagstringA particular signal on a request (e.g., SQLI, XSS)
targetstringServer + Path
sortstringSort with time-asc (oldest first) or time-desc (most recent first)
untiltimeFilter output with request before a particular date
useragentstringThe request's user agent (browser)


When using operators, keep in mind the following:

  • All values below can be quoted to allow for spaces.
  • Adding - (minus) before any key negates the operation.
  • Different key names function as an AND operator (from:-1h path:/foo).
  • Multiple keys with the same name function as an OR operator (path:/foo path:/bar should return paths matching either /foo or /bar).

Supported operators include:

key:=valueequals, alternate syntax
-key:valuenot equals, general negation of all operators
key:!=valuenot equals, alternate syntax
key:>valuegreater-than, integers only
key:>=valueequals or greater-than, integers only
key:<valueless-than, integers only
key:<=valueequals or less-than, integers only
key:value1..value2in range between value1 and value2, integers only. For time see from and until
key:~valuesearch on the field with the terms provided


Time ranges can be specified in a number of ways using the from and until keys.

Queries on the Requests page are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to find results from 2 weeks ago, your query would need to use from:-21d until:-14d, which would be a 7 day window. A query of just from:-21d would not yield any results as that would be a 21 day window.

Relative time

-5s5 seconds ago (from now)
-5min5 minutes ago
-5h5 hours ago
-5d5 days ago
-5w5 weeks ago
-5mon5 months ago
-5y5 year ago


  • from:-5h (until now)
  • from:-5h until:-4h (one hour range)

Absolute time

Absolute time is also allowed using

  • Unix UTC Seconds Since Epoch
  • Java/JavaScript UTC Milliseconds since Epoch
  • ISO Date format YYYYMMDD

Example Absolute Time: Unix UTC Seconds

  • from:141384000 (until now)
  • from:141384000 until:1413844691

Example Absolute Time: Java/JavaScript Milliseconds UTC

  • from:141384000000 (until now)
  • from:141384000000 until:1413844691000

Example Absolute Date: YYYYMMDD

  • from:20141031 (until now)
  • from:20141031 until:20141225

You can also mix and match time formats:

  • from:20141031 until:-1h
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.