Query DSL

A single syntax drives the Explore editor, Alert Triggers, and the /api/query endpoint. Splunk/Kibana-flavored, single-line, safe to paste into a URL.

Last updated · 2026-04-17

Overview

Queries are composed of predicates (field:value) combined with boolean operators (AND, OR, NOT) and parenthesized groups. Whitespace between predicates is an implicit AND.

tag:credential-stuffing AND fleet:core NOT country:US

Grammar

EBNF

expr       ::= or_expr
or_expr    ::= and_expr ("OR" and_expr)*
and_expr   ::= not_expr (("AND" | implicit) not_expr)*
not_expr   ::= "NOT" atom | atom
atom       ::= "(" expr ")" | predicate
predicate  ::= FIELD (":" | ":" OP) VALUE
OP         ::= "=" | "!=" | ">" | ">=" | "<" | "<=" | "~"
VALUE      ::= bareword | "(" csv ")" | quoted-string

Fields

Field	Type	Notes
`ip`	string	IPv4 address
`id`	string	Record ID (`thr_…`)
`asn`	string	ASN number, e.g. `AS14001`
`asn_name`	string	ASN operator name
`country`	string	ISO 3166-1 alpha-2
`tag`	string[]	Behavioral tag; matches any element
`fleet`	enum	`core` or `mesh`
`confidence`	number	0.0 to 1.0
`first_seen`, `last_seen`	time	Unix ms or relative (`24h`, `7d`)
`ja3`, `ja4`	string	TLS fingerprints · paywalled
`port`	number	Any sighting port
`action`	enum	`drop`, `rate_limit`, `monitor`

Operators

Op	Meaning	Example
`=`	Equals (default when omitted)	`country:RU`
`!=`	Not equal	`country:!=US`
`>`, `>=`	Greater than	`confidence:>0.7`
`<`, `<=`	Less than	`last_seen:<24h`
`~`	Substring / contains	`asn_name:~CHOOPA`

Booleans & grouping

AND, OR, and NOT are case-insensitive. Parentheses override default precedence. Adjacent predicates without an operator are implicit AND.

(tag:mirai-variant OR tag:iot-botnet) AND NOT country:US
tag:credential-stuffing  fleet:core    # implicit AND

Values

Three value forms are accepted:

Bareword — anything without whitespace or parens: country:RU
Quoted — for values with spaces or special chars: asn_name:"Digital Ocean"
List — match any of several values: country:(RU,CN,NL)

Relative time

Time fields accept relative shortcuts ending in s, m, h, d, w. They expand to a Unix ms timestamp relative to “now”.

last_seen:<24h          # last 24 hours
first_seen:>7d          # records first seen more than 7 days ago
last_seen:>=30m         # last 30 minutes or older

Paywalled fields

Examples

SSH bruteforce from specific ASN

tag:ssh-bruteforce AND asn_name:~CHOOPA

High-confidence recent activity

confidence:>=0.8 AND last_seen:<1h

IoT botnet outside a known region

(tag:mirai-variant OR tag:iot-botnet) NOT country:(US,CA,GB,DE)

Pro key: pivot by TLS fingerprint

ja4:~t13d0111h2 AND fleet:core

Errors

Parse errors are positional — the response includes the character offset of the offending token so an editor can underline it:

{
  "error": "invalid_query",
  "message": "Unknown field \"contry\"",
  "position": 0
}

Paywall errors carry a blocked_fields list so clients can show a targeted upgrade prompt:

{
  "error": "invalid_query",
  "message": "These fields require a Pro key: ja4",
  "blocked_fields": ["ja4"],
  "upgrade_url": "/pricing"
}

Query DSL

#Overview

#Grammar

#Fields

#Operators

#Booleans & grouping

#Values

#Relative time

#Paywalled fields

#Examples

#Errors