search
Support

NQL data types

The data type is an attribute of the value stored in a field. It dictates what type of data a field can store.

When applying conditions to the NQL query using a where clause, only values of the same data types can be compared which is reflected in the format of the value.

For example, in the following query:

  • The first where clause compares values of the string data type. Consequently, the comparison value is enclosed in quotes to denote its string nature.

  • The second where clause compares versions. Here, the comparison value is prefixed with 'v' and includes multiple points to represent a version number.

  • The last where clause compares integers. In this case, the comparison value is expressed solely as a standalone number without any additional characters.

devices during past 1d
| include execution.crashes during past 1d
| where application.name == "Microsoft 365: Teams"
| where binary.version == v1.7.0.1864
| compute number_of_crashes_ = number_of_crashes.sum()
| where number_of_crashes_ >= 3

The following data types are present in the NQL data model:

Data type
Valid operators
Definition
Value example

string

== or =

!=

in

!in

a string of text characters

"abc" or 'abc'

int

=

!=

<

>

<=

>=

in

!in

a whole number

10

float

=

!=

<

>

<=

>=

a floating point number

10.1

Boolean

=

!=

a true or false value

true

false

date time

=

!=

<=

>=

a date with a time

2024-07-15 10:15:00

enumeration

=

!=

sets of named things

for example red blue white

status == red

byte

<

>

<=

>=

a number of bytes

(an int with a unit)

100B

200KB

3MB

12GB

2TB

duration

=

!=

<

>

<=

>=

a duration in time

(an int with a unit)

5ms

10s

4min

3h

2d

IP address

=

!=

IPv4 or IPv6 addresses

with optional mask

123.123.0.0

123.123.0.0/24

f164:b28c:84a5:9dd3:ef21:8c9d:d3ef:218c

f164:b28c:84a5:9dd3::/32

version

<

>

<=

>=

==

!=

a set of numbers separated by a .

v12.212

v1.2.5.9

v13.5.10

v2022.6

v1.2.4125

v6.8.9.7.6.5.4.3

string array

contains

!contains

an array of strings

for example ['abc', 'def', 'xyz']

tags contains "abc"

tags !contains "*xyz"

Last updated

Was this helpful?