Query
REST API
App SDK
Query
App SDK
Table Of Contents
Overview
Before You Start
Running Queries in the Web Console
Query Types
Query Syntax
General Commands
Parameters
set
setq
Data Source
csvfile
fulltext
json
jsonfile
load
logger
pcapfile
remote
result
stream
table
textfile
xmlfile
zipfile
Data Processing
alertmsg
auditmsg
boxplot
bypass
cube
curvefit
decodedhcp
decodedns
decodehttp
decodesflow
eval
evalc
explode
fields
flowsearch
groovy
limit
mpsearch
order
parallel
parse
parsecsv
parsejson
parsekv
parsemap
parsexml
pcapdecode
pcapreplay
pivot
prev
rename
repeat
rex
rollup
search
serial
signature
sort
stats
timechart
tojson
Data Mapping
lookup
lookuptable
memlookup
nslookup
Data Loading
drop
import
insert
outputcsv
outputjson
outputpcap
outputtxt
sendmail
sendsyslog
Data Merging
join
streamjoin
union
Complex Event Processing
evtctxadd
evtctxdel
evtctxdrop
evtctxlist
Machine Learning
anomalies
forecast
kmeans
lof
rforest
stl
Procedure
proc
External System Integration
dbcall
dbload
dblookup
dboutput
dbquery
dbscript
ftp
hdfs
mongo
rss
sftp
wget
Sonar Commands
Events
alert
event
Assets
sonar-set-ip-address
Datasets
dataset
Threat Intelligence
matchfeed
node-feed
Behavior Profiles
behavior
matchbehavior
node-behavior
Address Groups
matchblackip
node-ip-blacklist
Subnet Groups
matchnet
node-subnet-group
Port Groups
matchport
node-port-group
Pattern Groups
matchsig
node-pattern-group
Forensic Commands
Windows Artifacts
evtx-file
hive-file
ntfs-logfile
ntfs-mft
ntfs-usnjrnl
reg-opensave-files
reg-recent-docs
reg-shellbags
reg-shim-cache
reg-user-assists
zipfile-entries
Linux Artifacts
linux-arp-entries
linux-connections
linux-cron-jobs
linux-env
linux-failed-logins
linux-hidden-files
linux-logins
linux-network-interfaces
linux-no-owner-files
linux-non-device-files
linux-open-files
linux-partitions
linux-pipes
linux-processes
linux-recent-files
linux-rkhunter
linux-routes
linux-setuid-files
linux-shell-sessions
linux-system-files
linux-shell-commands
linux-system-info
linux-systemd-services
linux-systemd-timers
linux-tmp-files
linux-users
linux-user-groups
linux-vmstats
Web Browser Artifacts
chrome-downloads
chrome-search-terms
chrome-visits
esedb-columns
esedb-records
esedb-tables
eml-file
firefox-downloads
firefox-visits
ie-cache-files
ie-cookies
ie-downloads
ie-visits
sqlite-records
sqlite-tables
System Commands
System Configuration
confdb
Log Collectors
system loggers
Tables and Data
system tables
system count
checktable
copytable
purge
system logdisk
system indexdisk
Lookup
system lookups
Queries
system queries
system streams
system ceptopics
system cepclocks
PCAP Devices
system pcapdevices
Sentries
system sentries
sentry-arp-cache
sentry-bundles
sentry-jstack
sentry-logger-configs
sentry-logger-connect
sentry-logger-create
sentry-logger-deploy
sentry-logger-disconnect
sentry-logger-remove
sentry-logger-set-interval
sentry-logger-set-schedule
sentry-logger-set-time-range
sentry-logger-start
sentry-logger-stop
sentry-loggers
sentry-netstat
sentry-processes
sentry-routing-table
sentry-top-threads
sentryswap
Threads
system threads
system topthreads
Federation Nodes
system nodes
License
system license-usages
Functions
Reference Functions
$()
field()
whoami()
Type Conversion Functions
array()
binary()
date()
dict()
double()
flatten()
foreach()
frombase64()
fromhex()
groups()
int()
ip()
long()
string()
tobase64()
tohex()
unique()
Type Checking Functions
isnum()
isnotnull()
isnull()
isstr()
typeof()
Conditional Functions
case()
if()
in()
match()
nvl()
String Functions
concat()
contains()
format()
guid()
indexof()
kvjoin()
lastindexof()
left()
len()
lower()
lpad()
replace()
reverseip()
right()
rpad()
split()
strjoin()
substr()
trim()
upper()
urldecode()
urlencode()
Numeric Functions
abs()
acos()
asin()
atan()
ceil()
cos()
exp()
floor()
log()
log10()
max()
min()
mod()
pow()
round()
seq()
sin()
sqrt()
tan()
Date Functions
ago()
dateadd()
datediff()
datepart()
daterange()
datetrunc()
epoch()
now()
IP Address Functions
ip2int()
ip2long()
long2ip()
network()
Encryption and Encoding Functions
decode()
decrypt()
encode()
encrypt()
hash()
rand()
randbytes()
Array Functions
flatten()
foreach()
subarray()
sumarray()
unique()
valueof()
CEP Functions
evtctxget()
evtctxgetvar()
evtctxsetvar()
Sonar Functions
matchbehavior()
matchblackip()
matchfeed()
matchnet()
matchport()
matchsig()
Aggregate Functions
array()
avg()
corr()
count()
cov()
dc()
estdc()
first()
last()
max()
min()
slope()
stddev()
sum()
values()
var()
Table Of Contents
Windows Event Log Files