search close

Search Syntax

access_time Updated Mar 24, 2023

Free Text

In many cases, you can “just type” a free-text query.

Example Description
/a/path/here sqli -7h Show all SQLI in last 7 hours with this particular path
RU All recent requests from Russia
cn 500 All recent requests from China that had a 500 error
404 Recent requests from an IP that had a 404 error

Let us know if a free-text query did something you didn’t expect.

Explicit queries are made through the use of keys and operators. The previous sample queries can be made with keys and operators:

Free Text Explicit Keys
/a/path/here sqli -7h path:/a/path/here sqli from:-7h
RU country:ru
cn 500 country:cn httpcode:500
404 httpcode:404 ip:


  • All values below can be quoted to allow for spaces.
  • Adding - (minus) before any key negates the operation.
  • Different key names function as an AND operator (from:-1h path:/foo).
  • Multiple keys with the same name function as an OR operator (path:/foo path:/bar should return paths matching either /foo or /bar).
Operator Meaning
key:value equals
key:=value equals, alternate syntax
-key:value not equals, general negation of all operators
key:!=value not equals, alternate syntax
key:>value greater-than, integers only
key:>=value equals or greater-than, integers only
key:<value less-than, integers only
key:<=value equals or less-than, integers only
key:value1..value2 in range between value1 and value2, integers only. For time see from and until
key:~value search on the field with the terms provided


Time ranges can be specified in a number of ways using the from and until keys.

Queries on the Requests page of the console are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to see results from 2 weeks ago, your query would need to use from:-21d until:-14d, which would be a 7 day window. A query of just from:-21d would not yield any results as that would be a 21 day window.

Relative time

Suffix Meaning
-5s 5 seconds ago (from now)
-5min 5 minutes ago
-5h 5 hours ago
-5d 5 days ago
-5w 5 weeks ago
-5mon 5 months ago
-5y 5 year ago


  • from:-5h (until now)
  • from:-5h until:-4h (one hour range)

Absolute time

Absolute time is also allowed using

  • Unix UTC Seconds Since Epoch
  • Java/JavaScript UTC Milliseconds since Epoch
  • ISO Date format YYYYMMDD

Example Absolute Time: Unix UTC Seconds

  • from:141384000 (until now)
  • from:141384000 until:1413844691

Example Absolute Time: Java/JavaScript Milliseconds UTC

  • from:141384000000 (until now)
  • from:141384000000 until:1413844691000

Example Absolute Date: YYYYMMDD

  • from:20141031 (until now)
  • from:20141031 until:20141225

You can also mix and match time formats:

  • from:20141031 until:-1h


Name Type Description
agent string The server hostname (or alias) for the agent (agent:~hostname, agent:~appname, agent:hostname.appname, or agent:hostname-appname)
agentcode integer The agents internal response code
bytesout integer HTTP response size in bytes
country string Request estimated country of origin (e.g., US, RU)
from time Filter output with requests since a particular date
httpcode integer The response’s http response code
ip string Single IPv4 (ip:
Single IPv6 (ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225)
IPv4 CIDR (ip:
IPv6 CIDR (ip:2001:0db8:1681:f16f::/64)
IPv4 range (ip:
IPv6 range (ip:2001:0db8:1681:f16f::..2001:0db8:1681:f16f:ffff:ffff:ffff:ffff)
method string HTTP Method (e.g., GET, POST)
path string Request URL path, does not include query parameters
payload string The data that triggered a signal (i.e., the attack value)
protocol string HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0
ratelimited string Requests that have been tagged with a specific threshold signal and have been rate limited. The search syntax is ratelimited: site.<threshold-signal>. You will need to replace <threshold-signal> with the name of the threshold signal that you want to search for.
responsemillis integer HTTP response time in milliseconds
remotehost string Remote hostname ( or subdomain match (
server string Requested server name in the http request (e.g., “” if
tag string A particular signal on a request (e.g., SQLI, XSS)
target string Server + Path
sort string Sort with time-asc (oldest first) or time-desc (most recent first)
until time Filter output with request before a particular date
useragent string The request’s user agent (browser)