Advanced search options

Use the Advanced Search field to enter an Ariel Query Language (AQL) that specifies the fields that you want and how you want to group them to run a query.

Note: When you type an AQL query, use single quotation marks for a string comparison, and use double quotation marks for a property value comparison.

Attention: The XFORCE_IP_CONFIDENCE function does not work in AQL advanced searches in languages other than English.

The Advanced Search field has auto completion and syntax highlighting.

Use auto completion and syntax highlighting to help create queries. For information about supported web browsers, see Supported web browsers

Note: If you use a quick filter on the Log Activity tab, you must refresh your browser window before you run an advanced search.

Accessing Advanced Search

Access the Advanced Search option from the Search toolbar that is on the Network Activity and Log Activity tabs to type an AQL query.

Select Advanced Search from the list box on the Search toolbar.

Expand the Advanced Search field by following these steps:

Drag the expand icon that is at the right of the field.
Press Shift + Enter to go to the next line.
Press Enter.

You can right-click any value in the search result and filter on that value.

Double-click any row in the search result to see more detail.

All searches, including AQL searches, are included in the audit log.

AQL search string examples

The following table provides examples of AQL search strings.

Table 1. Examples of AQL search strings
Description	Example
Select default columns from events. Select default columns from flows.	`SELECT * FROM events` `SELECT * FROM flows`
Select specific columns.	`SELECT sourceip, destinationip FROM events`
Select specific columns and order the results.	`SELECT sourceip, destinationip FROM events ORDER BY destinationip`
Run an aggregated search query.	`SELECT sourceip, SUM(magnitude) AS magsum FROM events GROUP BY sourceip`
Run a function call in a SELECT clause.	`SELECT CATEGORYNAME(category) AS namedCategory FROM events`
Filter the search results by using a WHERE clause.	`SELECT CATEGORYNAME(category) AS namedCategory, magnitude FROM events WHERE magnitude > 1`
Search for events that triggered a specific rule, which is based on the rule name or partial text in the rule name.	`SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE '%suspicious%'`
Reference field names that contain special characters, such as arithmetic characters or spaces, by enclosing the field name in double quotation marks.	`SELECT sourceip, destinationip, "+field/name+" FROM events WHERE "+field/name+" LIKE '%test%'`

The following table provides examples of AQL search strings for X-Force®.

Table 2. Examples of AQL search strings for X-Force
Description	Example
Check an IP address against an X-Force category with a confidence value.	`select * from events where XFORCE_IP_CONFIDENCE('Spam',sourceip)>3`
Search for X-Force URL categories associated with a URL.	`select url, XFORCE_URL_CATEGORY(url) as myCategories from events where XFORCE_URL_CATEGORY(url) IS NOT NULL`
Retrieve X-Force IP categories that are associated with an IP.	`select sourceip, XFORCE_IP_CATEGORY(sourceip) as IPcategories from events where XFORCE_IP_CATEGORY(sourceip) IS NOT NULL`

For more information about functions, search fields and operators, see the Ariel Query Language guide.