Advanced Query Syntax

SIQL supports a large collection of advanced operators and functions to help you answer more complex questions. Advanced operators will help you compare sets of information, and functions will return actual values.

These advanced operators and functions can be added into simple and compound queries, or they can be used to create different filters in a query.

An example of a query with an advanced operator, two functions, and a pipe function appear below. The syntax of advanced queries will vary by the operators and functions you use.

stanza{attribute operator function('argument','argument')} and stanza{function} | function

  • The attribute and argument indicate that in the rule stanza, we are looking for rules that drop traffic and have "any" as a service. Because services are used at the rule level, you can assume that the service.any attribute is stored within the rule stanza. To see the list of attributes for each stanza, refer to the Stanzas topic.
  • You may have notice that the argument for service.any is different from any argument used in an example so far. That's because the service.any field accepts only Boolean values: true or false. Because of this, when querying a field that is a Boolean data type, you must use a Boolean argument: true or false.

Note: Single quotes are not required around Boolean arguments.

  • The operator is the EQUALS. It indicates that the argument for the attribute must have a matching value of "true" in the database.
  • A list of rules that meet the query parameters are the default output of all queries. You can use functions to specify if you want to return different results, such as counts or percentages, instead of a list of rules. Functions are also required to run queries on usage analysis.
  • The and operator indicates that both expressions in the rule filter must match in order for results to return.
  • This query returns on rules on the device at 192.168.20.1 that drop traffic and have a source of "any." If the rules do not match the parameters in both filters, no results will be displayed.