NQL data types
The data type is an attribute of the value stored in a field. It dictates what type of data a field can store.
When applying conditions to the NQL query using a where clause, only values of the same data types can be compared which is reflected in the format of the value.
For example, in the following query:
The first
whereclause compares values of the string data type. Consequently, the comparison value is enclosed in quotes to denote its string nature.The second
whereclause compares versions. Here, the comparison value is prefixed with 'v' and includes multiple points to represent a version number.The last
whereclause compares integers. In this case, the comparison value is expressed solely as a standalone number without any additional characters.
devices during past 1d
| include execution.crashes during past 1d
| where application.name == "Microsoft 365: Teams"
| where binary.version == v1.7.0.1864
| compute number_of_crashes_ = number_of_crashes.sum()
| where number_of_crashes_ >= 3The following data types are present in the NQL data model:
string
== or =
!=
in
!in
a string of text characters
"abc" or 'abc'
int
=
!=
<
>
<=
>=
in
!in
a whole number
10
float
=
!=
<
>
<=
>=
a floating point number
10.1
Boolean
=
!=
a true or false value
true
false
date time
=
!=
<=
>=
a date with a time
2024-07-15 10:15:00
enumeration
=
!=
sets of named things
for example red blue white
status == red
byte
<
>
<=
>=
a number of bytes
(an int with a unit)
100B
200KB
3MB
12GB
2TB
duration
=
!=
<
>
<=
>=
a duration in time
(an int with a unit)
5ms
10s
4min
3h
2d
IP address
=
!=
IPv4 or IPv6 addresses
with optional mask
123.123.0.0
123.123.0.0/24
f164:b28c:84a5:9dd3:ef21:8c9d:d3ef:218c
f164:b28c:84a5:9dd3::/32
version
<
>
<=
>=
==
!=
a set of numbers separated by a .
v12.212
v1.2.5.9
v13.5.10
v2022.6
v1.2.4125
v6.8.9.7.6.5.4.3
string array
contains
!contains
an array of strings
for example ['abc', 'def', 'xyz']
tags contains "abc"
tags !contains "*xyz"
Last updated
Was this helpful?