Advanced Query Examples

You can construct more sophisticated queries using functions and set operations.

SIQL functions return a single value type for a given attribute or stanza. For a list of SIQL functions, refer to Functions.

Set operations are a group of defined operators used in SIQL queries to evaluate data in relation to a stanza attribute. For more on set operations, refer to Comparison Operators.

Example 1

This example uses a set operator to find all rules across all devices with a source within the .20 network.

rule{source IS SUBSET OF '192.168.20.0/24'}

The stanza is rule. Notice that there is no device filter before the rule filter. This is so we can search all devices that could have rules where the source is within 192.168.20.0/24.

The attribute is source.

The operator is the set operator IS SUBSET OF. In this example, the operator indicates that the source attribute must have a network address within the argument "192.168.20.0/24."

Example 2

This example uses a function to return usage analysis results.

Let's say we want to find all rules with a source in the .20 network that have had more than 500 hits in the last 30 days. We would edit our query in Example 1 to look like this.

rule{source IS SUBSET OF '192.168.20.0/24' and usage(date('last 30 days')).count > 500}

The query still consists of one filter. We added the function usage(dateFunction).count to the filter. Then we added > 500 to indicate that the function should return results only if the hits to those rules were greater than 500.

Example 3

In this example, we want to see the specific rules that are unused on all licensed devices with unused rules, not merely a count of the number of rules.

device{active=true} AND rule{lastUseDate is NULL}

By removing the count('rule").byDevice function, which counted the number of rules that were unused and grouped the results into counts by device, the results show the unused rules on each device.