Filter syntax
To limit the results that are returned in an API retrieval request (HTTP GET), most IBM® QRadar® API endpoints that return lists of resources support the filter parameter.
The filter parameter syntax is consistent for all endpoints that support it. Refer to the documentation for the endpoint to determine whether the filter parameter applies to it. Any limitations for the filter syntax are included in that endpoint's description. Query parameters must be double URL encoded before they are sent.
Comparison Operators
The filter comparison operators table describes the comparison operators that you can use as part of the filter parameter.
Operator | Description | Example Filter Syntax |
---|---|---|
= |
Equality between the identifier and the specified value returned. | To find offenses where status=CLOSED , use the following
syntax:
|
> |
Identifier is greater than the specified value. | To find offenses where credibility > 3 , use the
following syntax:
|
< |
Identifier is less than the specified value. | To find offenses where magnitude < 9 , use the
following syntax:
|
<= |
Identifier is less than or equal to the specified value. | To find offenses where id <= 1004 , use the following
syntax:
|
>= | Identifier is greater than or equal to the specified value. | To find offenses where
|
|
Identifier is not equal to the specified value. | The following examples filter all IDs that are not equal to 5:
|
in |
Identifier is equal to at least one of the specified values in the list. | Syntax: id in (1001,1111,1200) Example:
|
not in |
Identifier is not equal to any of the specified values in the list. | Syntax: id not in (1001,1002,1003) :Example:
|
between … and … |
Identifier is between two specified values. | Syntax: id between 0 and 3 :Example:
|
not between … and … |
Identifier is not between two specified values. | Syntax: id not between 30 and 31 :Example:
|
is null |
Identifier is null. | Syntax: assigned_to is null :Example:
|
is not null |
Identifier is not null. | Syntax: assigned_to is not null :Example:
|
Null values and comparison operators
When the field that you filtered on has a 'null' value, comparison operators behave in the following ways:
- "=", ">", ">=", "<", "<=", "IN", and "BETWEEN" operators always return false.
- "!=", "<>", "^=", "NOT BETWEEN", and "NOT IN" always return true.
The best way to test for null values is to use the "is null" or "is not null" operators.
Logical operators
Use the logical operators OR, AND, and NOT to perform logical operations on subexpressions. The following table provides examples of how to use logical operators in filters.
Operator | Description | Example |
---|---|---|
or |
Performs a logical OR operation on the two subexpressions. The subexpressions might be comparison nodes or other logical nodes. | assigned_to is not null OR id =
111 :
|
and |
Performs a logical AND operation on the two subexpressions. The subexpressions might be comparison nodes or other logical nodes. | assigned_to is not null AND id =
111 :
|
not |
Performs a logical NOT operation on the subexpression. | protected =true and not id in
(111,112,113)
|
Specifying JSON fields for comparisons
The following table explains how to specify JSON fields for use with comparison operators in filters.
JSON field example | Description | Example |
---|---|---|
|
When you apply a filter to a field directly in the object that is returned, the field is specified by name. |
|
|
When you apply a filter to a field nested inside a sub object, use brackets to specify the inner field. |
|
|
For simple JSON types where no field label exists, such as strings, numbers, or Boolean, use
the . operator. |
|
Specifying string and numeric values in filters
When you filter on strings that have values with non-alphanumeric characters, you must wrap the target string in quotation marks. When you filter on numeric values, the numeric values can follow these conditions:
- Start with a leading + or - sign.
- Contain or start with a decimal point.
- Include an exponent by using e notation.
Filtering complex objects by using the CONTAINS operator
You filter complex objects by using the CONTAINS operator. You use the CONTAINS operator to test the contents of lists or maps. On the left side of the operator, is an identifier that is in the standard format, for example x(y(z)). The identifier must refer to an element that is a list, map, or collection. On the right side of the operator is an expression that specifies how the objects in the list must be matched. There are two basic use cases for using the CONTAINS operator:
- The list that is examined contains simple elements like strings or numbers.
- The list contains complex objects.
- Lists that contain simple types
- For lists that contain simple types such as strings or numbers, the expression is a value of the same type. For single comparisons, no brackets are required.
- Lists that contain complex objects
For lists that contain complex objects, the expression is a complete filter expression for the objects within the list. This subfilter expression uses the same syntax as any other filter. You can use any operator in the subfilter to test sublists inside the original list. Identifiers in this expression are relative to the objects in the list that the CONTAINS operator is operating on. In complex subfilter expressions, brackets are required.
The LIKE operator
Use the LIKE operator to retrieve partial string matches.
The LIKE operator uses the following format: identifier like "expression"
.
Quotation marks around the expression are mandatory. Single and double quotation marks are
supported. The LIKE keyword does case-sensitive matching.
The following wildcard characters are supported. If you use wildcard characters in a string, you must escape them.
Wildcard character | Description |
---|---|
% | Matches a string of zero or more characters |
_ | Matches any single character |
GET /path/to/api
[
{
"hostname": "server.domain1"
},
{
"hostname": "server.domain2"
},
{
"hostname": "SERVER.domain"
},
{
"hostname": "server.DOMAIN"
}
]
You can combine the wildcard characters in the same expression. For example, to find servers in
domain1 or domain2, use the expression: hostname
LIKE "%.domain_"
.
GET /path/to/api?filter=hostname%20LIKE%20%22%25.domain_%22
[
{
"hostname": "server.domain1"
},
{
"hostname": "server.domain2"
}
]
Notice that SERVER.domain is not returned, because the underscore (_) has no matching trailing character.
The ILIKE operator
Use the ILIKE operator to retrieve case-insensitive partial string matches.
GET /path/to/api
[
{
"hostname": "server.domain1"
},
{
"hostname": "server.domain2"
},
{
"hostname": "SERVER.domain"
},
{
"hostname": "server.DOMAIN"
}
]
hostname ILIKE "server.domain"
produces the following
collection of
data:GET /path/to/api?filter=hostname%20ILIKE%20%22server.domain%22'
[
{
"hostname": "SERVER.domain"
},
{
"hostname": "server.DOMAIN"
}
]