Query Language

Matthias Vallentin edited this page Jul 3, 2015 · 8 revisions

VAST's query language currently supports boolean expressions consisting of conjunctions (&&), disjunctions (||), and negations (!). The operands of these operations are either predicates or further sub-expressions.

Predicates

A predicate has the form LHS op RHS. Left-hand side (LHS) and right-hand side (RHS) have a type. The relational operator op defines which operand types are compatible with each other. An operand is either an extractor or data.

Extractors

An extractor retrieves a certain aspect of an event:

  1. time: &time extracts the event timestamp and requires an RHS of type time_point.
  2. event: &name extracts the event name and requires an RHS of type string.
  3. type: :T extracts any event argument having type T in any event.
  4. schema: x[.y.z] describes the event type or field names according to the schema.

Operators

  1. <
  2. <=
  3. >=
  4. ==
  5. !=
  6. in
  7. !in
  8. ni
  9. !ni
  10. ~
  11. !~

Data

A data operand is a fixed constant parsed according to the data grammar.

Extractors

Type

VAST comes with the following type extractors:

  • :bool
  • :count
  • :int
  • :real
  • :duration
  • :time
  • :string
  • :pattern
  • :addr
  • :subnet
  • :port

Examples

  • &name == "bro::conn"
  • &time > now - 2d && :string == "http" && (:addr in 192.168.0.0/24 || :addr == 127.0.0.1)
  • conn.ts < 2014-04-04 && "evil" in user_agent
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.