Skip to main content

Netskope Help

Skope IT Query Language

This topic describes how to define and execute a search using the advanced search operations. Click the Query Mode button on any of the Skope IT pages.

Netskope-Skope-IT-Switch-to-Query-Mode.png

Enter a query into the search field at the top of the web page. A list of values appear after entering the field and operator. For example, entering app eq micro opens a list of all apps with micro in the name. The following section provides specific usage examples for all the possible operations.

Event Types

There are five types of events. They are application, page, audit, infrastructure, and alert event types.

Note

The alert event type is only available on the Skope IT > Alerts page.

Query language search entries consists of simple terms, groups, and Boolean operators. A simple query has the form <field><op><value>, where:

  • app is the name of one of the Application fields

  • op is one of:

    • eq, =, ==, neq, !=, like, ~ in case of string fields.

    • eq, =, ==, neq, !=, gt, >, gte, >=, lt, <, lte, <=, and , in case of numeric fields.

  • value is a string or numeric value.

It can also be field from value1 to value2, for example, user from aaa to zzz, or timestamp from 1607990400 to 1610158997 (in Epoch Time format).

Simple terms can be combined with Boolean operators. For example: field1 eq value1 and field2 lte value2, not (field1 eq value1), field1 eq value1 or not (field2 lte value2).

Terms can be grouped by using parenthesis around them to override precedence. For example: (field1 eq value1 or field2 eq value2) and (field3 eq value3).

Operators

  • "eq" or "=" or "==" - The Equal To operator compares the field with value. This operator does a case sensitive comparison.

  • "neq" or "!=" - The Not Equal To operator returns all events where the field does not equal to the value. This operator does a case sensitive comparison.

  • "gt" or ">" - The Greater Than operator works only on numeric fields such as count.

  • "lt" or "<" - The Less Than operator works only on numeric fields such as count.

  • "lte" or "gte" - The Greater Than Equal To or Less Than Equal To operators are also available for comparison.

  • "not" - The Not operator negates the result of the expression to the right. For example, "not (count = 0)".

  • “like” or “~” – The 'like' operator is used to list all the events that contains the specified pattern in the field. For example, a user like John would match for john@abc.com or John@xyz.com or brjohn. The 'like' operator is not case sensitive.

    Note

    The "like" or "~" operator is performance intensive. It's recommended to use this operator only while searching for events that contains a specified string.

Refer to Skope IT Queries Library for details about specific search queries.

In this section: