NQL data types

The data type is an attribute of the value stored in a field. It dictates what type of data a field can store.

When applying conditions to the NQL query using a where clause, only values of the same data types can be compared which is reflected in the format of the value.

For example, in the following query:

The first where clause compares values of the string data type. Consequently, the comparison value is enclosed in quotes to denote its string nature.
The second where clause compares versions. Here, the comparison value is prefixed with 'v' and includes multiple points to represent a version number.
The last where clause compares integers. In this case, the comparison value is expressed solely as a standalone number without any additional characters.

devices during past 1d
| include execution.crashes during past 1d
| where application.name == "Microsoft 365: Teams"
| where binary.version == v1.7.0.1864
| compute number_of_crashes_ = number_of_crashes.sum()
| where number_of_crashes_ >= 3

The following data types are present in the NQL data model:

Data type Valid operators Definition Value example

Data type	Valid operators	Definition	Value example
string	`==` or `=` `!=` `in` `!in`	a string of text characters	`"abc"` or `'abc'`
int	`=` `!=` `<` `>` `<=` `>=` `in` `!in`	a whole number	`10`
float	`=` `!=` `<` `>` `<=` `>=`	a floating point number	`10.1`
Boolean	`=` `!=`	a true or false value	`true` `false`
date time	`=` `!=` `<=` `>=`	a date with a time	`2024-07-15 10:15:00`
enumeration	`=` `!=`	sets of named things for example `red` `blue` `white`	`status == red`
byte	`<` `>` `<=` `>=`	a number of bytes (an int with a unit)	`100B` `200KB` `3MB` `12GB` `2TB`
duration	`=` `!=` `<` `>` `<=` `>=`	a duration in time (an int with a unit)	`5ms` `10s` `4min` `3h` `2d`
IP address	`=` `!=`	IPv4 or IPv6 addresses with optional mask	`123.123.0.0` `123.123.0.0/24` `f164:b28c:84a5:9dd3:ef21:8c9d:d3ef:218c` `f164:b28c:84a5:9dd3::/32`
version	`<` `>` `<=` `>=` `==` `!=`	a set of numbers separated by a `.`	`v12.212` `v1.2.5.9` `v13.5.10` `v2022.6` `v1.2.4125` `v6.8.9.7.6.5.4.3`
string array	`contains` `!contains`	an array of strings for example `['abc', 'def', 'xyz']`	`tags contains "abc"` `tags !contains "*xyz"`

string

== or =

!=

in

!in

a string of text characters

"abc" or 'abc'

int

=

!=

<

>

<=

>=

in

!in

a whole number

10

float

=

!=

<

>

<=

>=

a floating point number

10.1

Boolean

=

!=

a true or false value

true

false

date time

=

!=

<=

>=

a date with a time

2024-07-15 10:15:00

enumeration

=

!=

sets of named things

for example red blue white

status == red

byte

<

>

<=

>=

a number of bytes

(an int with a unit)

100B

200KB

3MB

12GB

2TB

duration

=

!=

<

>

<=

>=

a duration in time

(an int with a unit)

5ms

10s

4min

3h

2d

IP address

=

!=

IPv4 or IPv6 addresses

with optional mask

123.123.0.0

123.123.0.0/24

f164:b28c:84a5:9dd3:ef21:8c9d:d3ef:218c

f164:b28c:84a5:9dd3::/32

version

<

>

<=

>=

==

!=

a set of numbers separated by a .

v12.212

v1.2.5.9

v13.5.10

v2022.6

v1.2.4125

v6.8.9.7.6.5.4.3

string array

contains

!contains

an array of strings

for example ['abc', 'def', 'xyz']

tags contains "abc"

tags !contains "*xyz"

Last updated 2 months ago