New addition to our Search Language - IN keyword

mirela_smlatic · March 3, 2021, 4:00pm

We wanted to give you a simple and easy way, that you can search through your log list.

A use case in life would be searching through your Firewall logs.

Original query:

    where(connection_status=/accept/i AND direction!=/outbound/i AND
source_address!=/10\..*|127\..*|172\.(1[6-9]|2[0-9]|3[01])\..*|192\.168\..*/ AND
destination_port=/3389|5938|5900/)  groupby(geoip_country_name) limit(1000)

A new equivalent query with the list will:

Simply enumerate your private IP addresses and ports
No need to use regex for sub-net checking
Operates with IP addresses and numeric ports rather than strings
No need of specifying keys each time

where(connection_status=/accept/i AND direction!=/outbound/i AND source_address NOT IN [IP(10.0.0.0/24), IP(127.0.0.0/24), IP(172, 16.0.0/16), IP(192.168.0.0/16)] AND destination_port IN [3389, 5938, 5900]) groupby(geoip_country_name) limit(1000)

Let us know what do you think

leql_in_list

SDavis · June 21, 2021, 12:44pm

Not only does the IN command help clean up your query, it also makes any future changes to those values much easier as you just need to either change, remove, or add a new value within the []. Definitely a huge improvement.

Kerry · June 22, 2021, 1:19pm

I see a lot of potential with this one. Thanks for adding it!

assen_antonov · June 24, 2021, 7:40am

It makes me really happy when I see that the provider of a service improves it and makes it more intuitive to use. Keep up the good work.

steven_mueller · June 24, 2021, 11:50am

Very cool addition. Thanks for adding it! Makes advanced queries much more “human readable”