Compound Query Examples

In this topic, we'll look at two compound query examples.

Compound Query Example 1

In this example, we filter the results from the simple query example to return more specific results. Let's say we want to find all rules that drop traffic on the device with the IP address of 192.168.10.

Using the filter from the first query, we can add a second filter to give us the following query.

device{managementIp='192.168.20.1'} and rule{action EQUALS 'DROP'}

  • The stanza for the second filter is rule, which indicates that we want to find additional information for a rule. Note that the filter for rule follows the filter for device because rule is lower in the stanza hierarchy than device.
  • The attribute is action. The word 'action' is the name of a field in the rule stanza.
  • The operator is EQUALS.
  • The argument is DROP, which indicates that the value in the database for the action field must be "DROP." In this query, we want to find only rules with the DROP action, so if no rules a DROP action, the search will return zero results.

Note: DROP is a set attribute type value. Set attribute type values are case-sensitive.

  • The single quotes ' ' enclose the string argument that we are looking for in a field, which is DROP in this case. The curly brackets {} enclose the expression action EQUALS 'DROP'.
  • The and operator, which appears between the two filters, indicates that the result must match both filters. The device IP address must be 192.168.20.1, and the rule action must be "DROP".

Compound Query Example 2

In this example, let's further refine Compound Query Example 1. Let's find all rules on the device at 192.168.20.1 that drop traffic and that have "Any" as the service. To do so, we add a second expression to the rule filter. The attribute is service.any, and the argument is true.

device{managementIp='192.168.20.2'} and rule{action EQUALS 'DROP' and service.any EQUALS true}

  • The attribute and argument indicate that in the rule stanza, we are looking for rules that drop traffic and have "any" as a service. Because services are used at the rule level, you can assume that the service.any attribute is stored within the rule stanza. To see the list of attributes for each stanza, refer to the Stanzas topic.
  • You may have notice that the argument for service.any is different from any argument used in an example so far. That's because the service.any field accepts only Boolean values: true or false. Because of this, when querying a field that is a Boolean data type, you must use a Boolean argument: true or false.

Note: Single quotes are not required around Boolean arguments.

  • The operator is EQUALS. It indicates that the argument for the attribute must have a matching value of "true" in the database.
  • The and operator indicates that both expressions in the rule filter must match in order for results to return.
  • This query returns on rules on the device at 192.168.20.1 that drop traffic and have a source of "any." If the rules do not match the parameters in both filters, no results will be displayed.