Cmd CQL (Command Query Language) defines your reports, triggers, and searches on the sessions page. This glossary lists the CQL properties available throughout the web app, as well as several important notes on usage.

CQL usage — syntax and best practices:

  • Cmd CQL values are only listed in the web interfaces where they are available for a particular query type (e.g., session trigger queries and searches of unresolved alerts have different vocabularies).

  • Do not attempt to escape characters using the backslash, e.g.: \* .
    Instead, escape characters with square brackets, e.g.: [*] .

  • Cmd CQL provides a number of ways to match characters. We recommend you learn the syntax.

  • The trigger best practices guide teaches some fundamental design principles to keep in mind when building triggers.

Searchable PDF version

View the downloadable, searchable version of this glossary.


Table of contents

This page contains glossaries of:

  • Boolean operators

  • CQL operators

  • Command queries

  • Session queries

  • Server queries

  • Trigger queries

  • File queries


  

Boolean operators

You can create complex queries by joining CQL values together using Boolean search operators. For example:

(cmd_user_typed = 'true' and cmd = 'clear') and (cmd_hour_of_day < '8:00' or cmd_day_of_week IN 'saturday,sunday')

This example command trigger query would cause the trigger to fire when (a user manually typed a command and the command was "clear") and (the command was executed either before 8am or any time on a Saturday/Sunday).

The boolean operators available for constructing queries:

CQL operators

The CQL operators available for constructing queries:

 

Command queries

Session queries

Server queries

Trigger queries

File query

Triggers overview

 
 

Did this answer your question?