NQL syntax overview

Specifying table

Every NQL query starts with a short statement specifying the table to select data from. The syntax to specify the table is:

<namespace>.<table>

For example, listing all records in the events table from the execution namespace translates into the following statement:

execution.events

Syntax shortcuts

Instead of typing the namespace and the table, you can also use the predefined shortcuts. Type the table name only, without a namespace first to retrieve data from the following tables:

For example, type devices instead of device.devices to list all the records within the devices table in the device namespace.

devices

You do not need to specify the table fields included in the results to query data from the table. The system includes default fields that are most relevant to identify the records. For more information about fields contained in specific table, refer to the NQL data model page. Use the NQL list keyword to access other fields in the specific table.

Specifying time frame

You have the option to filter your results over a specific period of time by putting a time frame selection right after the table name in your NQL statement. Depending on what you need, you can choose from various data selection formats and time precisions. For example you can specify the number of days back:

Or specific date:

You can also use a time selection when querying the following inventory objects: devices, users, binaries. If you specify the time frame for the inventory objects, the system refers to the events behind the object's activity.

For example, the following queries refer to the same set of data.

For more information regarding the time selection formats refer to the NQL time selection

Customizing Query Results

After specifying the table and timeframe, you can further refine your query by providing additional instructions to the system using keywords, operators and functions. These refinements allow you to organize, filter or aggregate your results to gather more comprehensive insights.

For example:

1. Filter the results using the where clause

2. Select specific data to display using the list clause

3. Order results using the sort ... desc clause

4. Set a maximum number of results using the limit clause

For more information about specific instructions, refer to the NQL keywords section.

Pattern matching

Use wildcard characters such as * and ? for text filters.

* replaces any number of characters

? replaces any single character

For example, listing all binaries with a name starting with dll and finishing with .exe translates into the following query:

• NQL time selection

• NQL data types

Commenting

Use comments in your NQL queries to include explanatory notes that are ignored during execution. Comments help clarify the intent of the query, making it easier to read, maintain, and understand.

Use /* to begin a comment and */ to end it. All text between these symbols will be ignored during execution.

Keyboard shortcuts for commenting

Use the following keyboard shortcuts to quickly add or remove comments in your NQL queries.

Line-based comment

Toggle comment on the current line or selected multiple lines.

The following shortcuts add or remove comment markers (/* ... */) around the entire line where your cursor is placed. If multiple lines are highlighted, it wraps full lines in a single comment block.

• Windows: Press Ctrl + /

• macOS: Press Cmd + /

Inline or block comment

Toggle comment on selected code.

The following shortcuts add or remove comment markers (/* ... */) around the highlighted portion of code, even if the selection starts or ends mid-line.

• Windows: Press Shift + Alt + A

• macOS: Press Shift + Option + A

Valid comment placement

Comments can be added in most parts of an NQL query. However, there are specific cases where comments are not allowed.

The following table outlines invalid comment placements. If a comment is added in one of these locations, the NQL editor will display an error.