Search syntax

Free Text

In many cases, you can just enter a free-text query.

ExampleDescription
/a/path/here sqli -7hShow all SQLI in last 7 hours with this particular path
RUAll recent requests from Russia
cn 500All recent requests from China that had a 500 error
404 233.252.0.23Recent requests from an IP that had a 404 error

Let us know if a free-text query did something you didn't expect.

Explicit queries are made through the use of keys and operators. The previous sample queries can be made with keys and operators:

Free TextExplicit Keys
/a/path/here sqli -7hpath:/a/path/here sqli from:-7h
RUcountry:ru
cn 500country:cn httpcode:500
404 233.252.0.23httpcode:404 ip:233.252.0.23

Operators

  • All values below can be quoted to allow for spaces.
  • Adding - (minus) before any key negates the operation.
  • Different key names function as an AND operator (from:-1h path:/foo).
  • Multiple keys with the same name function as an OR operator (path:/foo path:/bar should return paths matching either /foo or /bar).
OperatorMeaning
key:valueequals
key:=valueequals, alternate syntax
-key:valuenot equals, general negation of all operators
key:!=valuenot equals, alternate syntax
key:>valuegreater-than, integers only
key:>=valueequals or greater-than, integers only
key:<valueless-than, integers only
key:<=valueequals or less-than, integers only
key:value1..value2in range between value1 and value2, integers only. For time see from and until
key:~valuesearch on the field with the terms provided

Time

Time ranges can be specified in a number of ways using the from and until keys.

Queries on the Requests page of the console are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to see results from 2 weeks ago, your query would need to use from:-21d until:-14d, which would be a 7 day window. A query of just from:-21d would not yield any results as that would be a 21 day window.

Relative time

SuffixMeaning
-5s5 seconds ago (from now)
-5min5 minutes ago
-5h5 hours ago
-5d5 days ago
-5w5 weeks ago
-5mon5 months ago
-5y5 year ago

Example:

  • from:-5h (until now)
  • from:-5h until:-4h (one hour range)

Absolute time

Absolute time is also allowed using

  • Unix UTC Seconds Since Epoch
  • Java/JavaScript UTC Milliseconds since Epoch
  • ISO Date format YYYYMMDD

Example Absolute Time: Unix UTC Seconds

  • from:141384000 (until now)
  • from:141384000 until:1413844691

Example Absolute Time: Java/JavaScript Milliseconds UTC

  • from:141384000000 (until now)
  • from:141384000000 until:1413844691000

Example Absolute Date: YYYYMMDD

  • from:20141031 (until now)
  • from:20141031 until:20141225

You can also mix and match time formats:

  • from:20141031 until:-1h

Fields

NameTypeDescription
agentstringThe server hostname (or alias) for the agent (agent:~hostname, agent:~appname, agent:hostname.appname, or agent:hostname-appname)
agentcodeintegerThe agents internal response code
bytesoutintegerHTTP response size in bytes
countrystringRequest estimated country of origin (e.g., US, RU)
fromtimeFilter output with requests since a particular date
httpcodeintegerThe response's http response code
ipstringSingle IPv4 (ip:198.51.100.128)
Single IPv6 (ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225)
IPv4 CIDR (ip:198.51.100.0/24)
IPv6 CIDR (ip:2001:0db8:1681:f16f::/64)
IPv4 range (ip:198.51.100.0..198.51.100.255)
IPv6 range (ip:2001:0db8:1681:f16f:: through 2001:0db8:1681:f16f:ffff:ffff:ffff:ffff)
ja3stringJA3 fingerprint
methodstringHTTP Method (e.g., GET, POST)
pathstringRequest URL path, does not include query parameters
payloadstringThe data that triggered a signal (i.e., the attack value)
protocolstringHTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0
ratelimitedstringRequests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal>. You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for.
responsemillisintegerHTTP response time in milliseconds
remotehoststringRemote hostname (remotehost:www.example.com) or subdomain match (remotehost:~example.com)
serverstringRequested server name in the http request (e.g., example.com if http://example.com/name)
tagstringA particular signal on a request (e.g., SQLI, XSS)
targetstringServer + Path
sortstringSort with time-asc (oldest first) or time-desc (most recent first)
untiltimeFilter output with request before a particular date
useragentstringThe request's user agent (browser)
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.