Query language#
SnoozeWeb has its own built-in query language to search alerts and other objects in the database from the web interface search bar.
Word search#
The basic search will perform a word search.
myword
Field search#
Types#
The perform a strict equality on a field:
host = myhost01
It’s possible to use strings by quoting them when they contain
special characters. Single quotes and double quotes supported.
Special characters can be escaped with \\
when using quotes.
host = "myhost01"
> Note: Only expressions composed of alphanumerics, _
, -
and .
are
> supported when omitting quotes.
Integer and floats are also supported:
pid = 12345
x = 3.14
Booleans literals true
and false
are also supported (case insensitive).
When needed, fields can also be written with string escapes:
"my field" = "my value"
Arrays and dictionary are represented like in JSON, except the fields of dictionary that support the unquoted syntax:
myarray = [1, 2, 3]
mydict = {mymessage: x, mynumber: 123}
Fields support nested queries using .:
myarray.0 = 1
mydict.mymessage = "x"
Field keys with a dot in the name are unsupported (they won’t appear in the search), this is due to the limitation of the backend database (MongoDB).
Comparison operators#
The following operations are supported for fields:
=
: Exact match!=
: Not equals~
orMATCHES
: Regex search?
orEXISTS
: Field existence (field?
orfield EXISTS
)>
: Greater than<
: Lower thanin
: Check if a value exists in a list ("myrule" in rules
). The element on the right should be a field name.Arrays are supported, and it will return if the field contains at least one element (
[1, 2, 3] in myarray
equivalent to1 in myarray | 2 in myarray | 3 in myarray
)
contains
: Same asin
, with reverse syntax (rules contains "myrule"
).
Example usage:
host = myhost01
process != systemd
message ~ "[Aa]lert"
message MATCHES "[aA]lert"
custom_field?
custom_field EXISTS
x > 10
y < 3.14
"myrule01" in rules
rules contains "myrule01"
[1,2,3] in myarray
myarray contains [1,2,3]
Logic#
Basic boolean logic is supported. Note that none of the keyword is case sensitive. Parenthesis are supported.
And#
The “AND” operation is implicit.
host=myhost01 process=systemd
Explicit “AND” is also supported like so:
host=myhost01 and process=systemd
The & character is also accepted:
host=myhost01 & process=systemd
Or#
The “OR” boolean operation is explicit:
host=myhost01 or host=myhost02
The | character is also accepted:
host=myhost01 | host=myhost02
Not#
The revert the result of a condition, NOT can be used.
not process=systemd
The character ! is also supported:
!process=systemd
Limitations#
The
in
keyword support queries in the backend, but this is not supported bu the query parser (i.e.type=Postfix in relays
)The parser rarely error, thus invalid syntax might still be interpreted without proper feedback.