search close

Search Syntax

access_time Updated Sep 21, 2021

Free Text

In many cases, you can “just type” a free-text query.

example description
/a/path/here sqli -7h Show all SQLI in last 7 hours with this particular path
RU All recent requests from Russia
cn 500 All recent requests from China that had a 500 error
404 233.252.0.23 Recent requests from an IP that had a 404 error

Let us know if a free-text query did something you didn’t expect.

Explicit queries are made through the use of keys and operators. The previous sample queries can be made with keys and operators:

Free Text Explicit Keys
/a/path/here sqli -7h path:/a/path/here sqli from:-7h
RU country:ru
cn 500 country:cn httpcode:500
404 233.252.0.23 httpcode:404 ip:233.252.0.23

Operators

  • All values below can be quoted to allow for spaces.
  • Adding - (minus) before any key, negates the operation.
  • Different key names function as an AND operator (from:-1h path:/foo).
  • Multiple keys with the same name function as an OR operator (path:/foo path:/bar should return paths matching either /foo or /bar).
Operator Meaning
key:value equals
key:=value equals, alternate syntax
-key:value not equals, general negation of all operators
key:!=value not equals, alternate syntax
key:>value greater-than, integers only
key:>=value equals or greater-than, integers only
key:<value less-than, integers only
key:<=value equals or less-than, integers only
key:value1..value2 in range between value1 and value2, integers only. For time see from and until
key:~value search on the field with the terms provided

Time

Time ranges can be specified in a number of ways using the from and until keys.

Queries on the Requests page of the console are limited to a maximum time range of 7 days. Queries greater than a 7 day period will not yield any results. For example, if you wanted to see results from 2 weeks ago, your query would need to use from:-21d until:-14d, which would be a 7 day window. A query of just from:-21d would not yield any results as that would be a 21 day window.

Relative time

Suffix Meaning
-5s 5 seconds ago (from now)
-5min 5 minutes ago
-5h 5 hours ago
-5d 5 days ago
-5w 5 weeks ago
-5mon 5 months ago
-5y 5 year ago

Example:

  • from:-5h (until now)
  • from:-5h until:-4h (one hour range)

Absolute time

Absolute time is also allowed using

  • Unix UTC Seconds Since Epoch
  • Java/JavaScript UTC Milliseconds since Epoch
  • ISO Date format YYYYMMDD

Example Absolute Time: Unix UTC Seconds

  • from:141384000 (until now)
  • from:141384000 until:1413844691

Example Absolute Time: Java/JavaScript Milliseconds UTC

  • from:141384000000 (until now)
  • from:141384000000 until:1413844691000

Example Absolute Date: YYYYMMDD

  • from:20141031 (until now)
  • from:20141031 until:20141225

You can also mix and match time formats:

  • from:20141031 until:-1h

Fields

Name Type Description
agent string The server hostname (or alias) for the agent (agent:~hostname, agent:~appname, agent:hostname.appname, or agent:hostname-appname)
agentcode integer The agents internal response code
bytesout integer HTTP response size in bytes
country string Request estimated country of origin, example: US, RU
from time Filter output with requests since a particular date
httpcode integer The response’s http response code
ip string Single IPv4 (ip:198.51.100.128),
single IPv6 (ip:2001:0db8:1681:f16f:d4dc:a399:c00d:0225),
IPv4 CIDR (ip:198.51.100.0/24), or
IPv4 range (ip:198.51.100.0..198.51.100.255 )
method string HTTP Method, example: GET, POST
path string Request URL path, does not include query parameters
payload string The data that triggered a signal, i.e. the attack value
protocol string HTTP Request Protocol, typically HTTP/1.1 or HTTP/1.0
responsemillis integer HTTP response time in milliseconds
remotehost string Remote hostname (remotehost:www.example.com) or subdomain match (remotehost:~example.com)
server string Requested server name in the http request, example: “example.com” if http://example.com/name
tag string A particular signal on a request, example: SQLI, XSS, etc.
target string server + path
sort string sort with time-asc (oldest first) or time-desc (most recent first)
until time Filter output with request before a particular date
useragent string The request’s user agent (browser)