Using filters to limit query results

You can use a filter to limit the query results for the following commands:

You can use multiple logical expressions to specify a filter by combining them using the AND operator. Logical expressions must be enclosed in quotation marks.

Syntax

"<field> <comparison operator> '<value>'"

"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"

Comparison operator

Comparison operator

Description

>

Greater than

<

Less than

like

Matches the specified value (when specifying the value, you can use masks %, see the example below)

==

Equal to

!=

Not equal to

>=

Greater than or equal to

<=

Less than or equal to

Examples:

Get information about files in the Storage that have the High severity level:

kesl-control -B --query "DangerLevel == 'High'"

Get information about events that contain the text "etc" in the FileName field:

kesl-control -E --query "FileName like '%etc%'"

Get events of the ThreatDetected type:

kesl-control -E --query "EventType == 'ThreatDetected'"

Output ThreatDetected events generated by ODS tasks:

kesl-control -E --query "EventType == 'ThreatDetected' and TaskType == 'ODS'"

Get events generated after the date specified in the UNIX™ time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):

kesl-control -E --query "Date > '1583425000'"

Get events generated after the date specified in YYYY-MM-DD hh:mm:ss format:

kesl-control -E --query "Date > '2022-12-22 18:52:45'"

Page top