Search syntax
Last updated 2023-03-21
Free Text
In many cases, you can just enter a free-text query.
Example | Description |
---|---|
/a/path/here sqli -7h | Show all SQLI in last 7 hours with this particular path |
RU | All recent requests from Russia |
cn 500 | All recent requests from China that had a 500 error |
404 233.252.0.23 | Recent requests from an IP that had a 404 error |
Let us know if a free-text query did something you didn't expect.
Explicit queries are made through the use of keys and operators. The previous sample queries can be made with keys and operators:
Free Text | Explicit Keys |
---|---|
/a/path/here sqli -7h | path:/a/path/here sqli from:-7h |
RU | country:ru |
cn 500 | country:cn httpcode:500 |
404 233.252.0.23 | httpcode:404 ip:233.252.0.23 |
Operators
- All values below can be quoted to allow for spaces.
- Adding
-
(minus) before any key negates the operation. - Different key names function as an AND operator (
from:-1h path:/foo
). - Multiple keys with the same name function as an OR operator (
path:/foo path:/bar
should return paths matching either/foo
or/bar
).
Operator | Meaning |
---|---|
key:value | equals |
key:=value | equals, alternate syntax |
-key:value | not equals, general negation of all operators |
key:!=value | not equals, alternate syntax |
key:>value | greater-than, integers only |
key:>=value | equals or greater-than, integers only |
key:<value | less-than, integers only |
key:<=value | equals or less-than, integers only |
key:value1..value2 | in range between value1 and value2 , integers only. For time see from and until |
key:~value | search on the field with the terms provided |
Time
Time ranges can be specified in a number of ways using the from
and until
keys.
Queries on the Requests page of the console are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to see results from 2 weeks ago, your query would need to use from:-21d until:-14d
, which would be a 7 day window. A query of just from:-21d
would not yield any results as that would be a 21 day window.
Relative time
Suffix | Meaning |
---|---|
-5s | 5 seconds ago (from now) |
-5min | 5 minutes ago |
-5h | 5 hours ago |
-5d | 5 days ago |
-5w | 5 weeks ago |
-5mon | 5 months ago |
-5y | 5 year ago |
Example:
from:-5h
(until now)from:-5h until:-4h
(one hour range)
Absolute time
Absolute time is also allowed using
- Unix UTC Seconds Since Epoch
- Java/JavaScript UTC Milliseconds since Epoch
- ISO Date format
YYYYMMDD
Example Absolute Time: Unix UTC Seconds
from:141384000
(until now)from:141384000 until:1413844691
Example Absolute Time: Java/JavaScript Milliseconds UTC
from:141384000000
(until now)from:141384000000 until:1413844691000
Example Absolute Date: YYYYMMDD
from:20141031
(until now)from:20141031 until:20141225
You can also mix and match time formats:
from:20141031 until:-1h
Fields
Name | Type | Description |
---|---|---|
agent | string | The server hostname (or alias) for the agent (agent:~hostname , agent:~appname , agent:hostname.appname , or agent:hostname-appname ) |
agentcode | integer | The agents internal response code |
bytesout | integer | HTTP response size in bytes |
country | string | Request estimated country of origin (e.g., US, RU) |
from | time | Filter output with requests since a particular date |
httpcode | integer | The response's http response code |
ip | string | Single IPv4 (ip:198.51.100.128 )Single IPv6 ( ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225 )IPv4 CIDR ( ip:198.51.100.0/24 )IPv6 CIDR ( ip:2001:0db8:1681:f16f::/64 )IPv4 range ( ip:198.51.100.0..198.51.100.255 )IPv6 range ( ip:2001:0db8:1681:f16f::..2001:0db8:1681:f16f:ffff:ffff:ffff:ffff ) |
method | string | HTTP Method (e.g., GET, POST) |
path | string | Request URL path, does not include query parameters |
payload | string | The data that triggered a signal (i.e., the attack value) |
protocol | string | HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0 |
ratelimited | string | Requests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal> . You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for. |
responsemillis | integer | HTTP response time in milliseconds |
remotehost | string | Remote hostname (remotehost:www.example.com ) or subdomain match (remotehost:~example.com ) |
server | string | Requested server name in the http request (e.g., example.com if http://example.com/name ) |
tag | string | A particular signal on a request (e.g., SQLI, XSS) |
target | string | Server + Path |
sort | string | Sort with time-asc (oldest first) or time-desc (most recent first) |
until | time | Filter output with request before a particular date |
useragent | string | The request's user agent (browser) |
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.