Using filters to limit query results
December 12, 2023
ID 201938
You can use a filter to limit the query results for the following commands:
- Getting information about application events:
kesl-control -E --query "<logical expression>" - Displaying information about the objects in the Storage:
kesl-control -B --query "<logical expression>" - Removing the selected objects from the Storage:
kesl-control -B --mass-remove --query "<logical expression>"
You can use multiple logical expressions to specify a filter by combining them using the AND operator. Logical expressions must be enclosed in quotation marks.
Syntax
"<field> <comparison operator> '<value>'"
"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"
Comparison operator
Comparison operator | Description |
|---|---|
| Greater than |
| Less than |
| Matches the specified value (when specifying the value, you can use masks %, see the example below) |
| Equal to |
| Not equal to |
| Greater than or equal to |
| Less than or equal to |
Examples: Get information about files in the Storage that have the High severity level:
Get information about events that contain the text "etc" in the FileName field:
Get events of the ThreatDetected type:
Output ThreatDetected events generated by ODS tasks:
Get events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):
Get events generated after the date specified in YYYY-MM-DD hh:mm:ss format:
|
