Query Filter Syntax and Best Practices
How to construct queries for displaying analytics data
Overview
The Dashboard and Events Log pages display data based upon user queries. These queries are entered into the text box at the top of each page.
A query is essentially a filter; it instructs Reblaze which data should be displayed, with all other data excluded. Admins should understand the syntax of these filters, and how to create them.
The discussion below explains:
How to quickly and efficiently build filters to display the desired data
The syntax and operators available for this process
Filter structure
Individual filters include a field name, operator, and value. Example: status=200
Multiple filters can be combined; these are delimited with a comma, and evaluated with a logical AND. Example: status>=200,status<=299
Strings are encapsulated with double quotes. Regex can be used; see the examples in the Operators section below.
Quickly Creating a Filter
Simple filters can be entered directly into the query box. However, admins will frequently need to create complex filters, e.g. when investigating attacks or trends.
For a full discussion and examples of how to use Reblaze's tools to investigate and explore traffic data (such as discovering anomalies, diagnosing False Positive alarms, and more), see this page: Understanding and Diagnosing Traffic Issues.
Reblaze provides the ability to build and add filters to the box automatically.
In the Dashboard or Events Log, admins can right-click on analytics data and then select "Show Matching" (to add an inclusionary filter) or "Hide Matching" (to add an exclusionary filter).
Afterwards, the filter string can be manually edited if desired.
Example 1: Dashboard
In this screenshot, the Dashboard is displaying all traffic data from a specific time period. The admin wishes to display only requests that originated from China and were blocked for a specific reason.
Going to the Top Metrics section at the bottom of the Dashboard, the admin finds the Countries list and right-clicks on China:
Selecting Show Matching
adds the appropriate filter to the query box:
Next, the admin goes to the Blocked & Monitored list, finds the blocking reason of interest, and right-clicks on it:
Selecting Show Matching
adds another filter to the query box:
... and running the query will then display the desired results.
Example 2: Events Log
The process described above could also be run from the Events Log, with only a few minor differences:
Since the Events Log does not contain a Top Metrics section, filters can be added when viewing specific events, and built from the individual event parameters of interest.
The
Show Matching
andHide Matching
filters will be created from the specific parameter that was clicked on. In the example below, selectingShow Matching
will create a filter to show all events with the Result ofBlocked by origin
.
Example 3: Manually Editing Filters
Sometimes it is necessary to manually edit filter strings after they are built.
When viewing the Events Log, sometimes it is difficult to find an event that includes the exact characteristics that are desired for the filter. In this situation, admins can build the filter from an event that is similar (thus allowing the system to construct the correct syntax and format automatically), and then edit it manually.
In other cases, the filter strings are too specific, because the admin wants something broader. This is especially true when building filters from Events Log entries, for example when selecting a Blocking Reason
or Monitoring
Reason. In these situations, the admin can create the filter, then edit it appropriately. For example, a specific instance of XSS will produce a filter that looks like this:
block_reason="Block - content filter xss[lvl3] - default contentfilter - [URI argument a==<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="https://example.com/";}</script>]
This can be edited to show all requests blocked for XSS:
block_reason~"xss"
Query Operators and Examples
=
Equals (exact and full match.)
reason=“ACL”
only matches requests when reason
exactly equals ACL
.
String Number Boolean Date/Time
method=“GET”
reason=“ACL”
country="United States" blocked=true status=300
!=
Does not equal (doesn't match exactly).
reason!=“ACL”
only matches requests when reason
does not exactly equal ACL
.
String Number Boolean Date/Time
status!=200 reason!=“ACL”
~
Contains (i.e., partial match).
reason~“ACL”
only matches requests when reason
contains ACL
.
String
method~“GET” reason~“ACL”
!~
Does not contain (no partial match was found).
reason!~“ACL”
only matches requests when reason
does not contain ACL
.
String
method!~“GET” reason!~“ACL”
~=
Regex match
Regex
method~=“^(GET|POST|METHOD)$”
!~=
No Regex match
Regex
method!~=“^(GET|POST|METHOD)$”
header[key] cookie[key] argument[key]
Header, cookie, or argument has the key with specified value.
header[~“arg1”]=“foo”
only matches requests with a header key that contains arg1
and value that exactly equals foo
.
String
Exact match in key: header[=“arg1”]=“foo”
Contained in key: header[~“arg1”]=“foo”
Regex in key: header[~=“arg1”]=“foo”
>
Greater than
Number
status>399
<
Less than
Number
status<400
>=
Greater than or equal to
Number
status>=300
<=
Less than or equal to
Number
status<=399
in
In: Request has a field within the specified values
Number String
status in (200,201,203)
between
Between: Request has a field with a value equal to or between the two given values
Number and number, or Date/time and Date/time
status between 200 and 299
Last updated