Skip to content

Query Language

Matthias Vallentin edited this page Jul 3, 2015 · 8 revisions

VAST's query language currently supports boolean expressions consisting of conjunctions (&&), disjunctions (||), and negations (!). The operands of these operations are either predicates or further sub-expressions.

Predicates

A predicate has the form LHS op RHS. Left-hand side (LHS) and right-hand side (RHS) have a type. The relational operator op defines which operand types are compatible with each other. An operand is either an extractor or data.

Extractors

An extractor retrieves a certain aspect of an event:

  1. time: &time extracts the event timestamp and requires an RHS of type time_point.
  2. event: &name extracts the event name and requires an RHS of type string.
  3. type: :T extracts any event argument having type T in any event.
  4. schema: x[.y.z] describes the event type or field names according to the schema.

Operators

  1. <
  2. <=
  3. >=
  4. ==
  5. !=
  6. in
  7. !in
  8. ni
  9. !ni
  10. ~
  11. !~

Data

A data operand is a fixed constant parsed according to the data grammar.

Extractors

Type

VAST comes with the following type extractors:

  • :bool
  • :count
  • :int
  • :real
  • :duration
  • :time
  • :string
  • :pattern
  • :addr
  • :subnet
  • :port

Examples

  • &name == "bro::conn"
  • &time > now - 2d && :string == "http" && (:addr in 192.168.0.0/24 || :addr == 127.0.0.1)
  • conn.ts < 2014-04-04 && "evil" in user_agent
You can’t perform that action at this time.