NQL data types
The data type is an attribute of the value stored in a field. It dictates what type of data a field can store.
When applying conditions to the NQL query using a where clause, only values of the same data types can be compared which is reflected in the format of the value.
For example, in the following query:
The first
whereclause compares values of the string data type. Consequently, the comparison value is enclosed in quotes to denote its string nature.The second
whereclause compares versions. Here, the comparison value is prefixed with 'v' and includes multiple points to represent a version number.The last
whereclause compares integers. In this case, the comparison value is expressed solely as a standalone number without any additional characters.
devices during past 1d
| include execution.crashes during past 1d
| where application.name == "Microsoft 365: Teams"
| where binary.version == v1.7.0.1864
| compute number_of_crashes_ = number_of_crashes.sum()
| where number_of_crashes_ >= 3The following data types are present in the NQL data model:
Data type | Valid operators | Definition | Example |
|---|---|---|---|
string |
| a string of text characters |
|
int |
| a whole number |
|
float |
| a floating point number |
|
boolean |
| a true or false value |
|
date |
| a date |
|
date time |
| a date with a time |
|
enumeration |
| sets of named things for example |
|
byte |
| a number of bytes (an int with a unit) |
|
duration |
| a duration in time (an int with a unit) |
|
IP address |
| IPv4 or IPv6 addresses with optional mask |
|
version |
| a set of numbers separated by a |
|
string array |
| an array of strings for example |
|