Skip to main content
Version: 1.3.0

Query

The query tab allows configuring queries that can be used in the Workbench and the corresponding search commands. Currently, it is only possible to save queries within ElasticSPL's app context. Queries created outside of ElasticSPL's app context but shared globally are visible and editable. However, if you change the query's sharing configuration to App, the query will no longer be visible to ElasticSPL.

To see all parameters of a query, extend a query using the arrow on the left in the row of the bucket. To hide the details, click the same arrow again.

Query Details

Extend to see all available query parameters
ParameterDescriptionRequiredExample
NameThe name of the query✔️palo-blocked-port-replacement
DescriptionThe description of the query✔️Get all blocked connections with configurable src and dest port
ModeWheter the query in Lucene or DSL format✔️Lucene
QueryThe query that should be executed✔️_index:palo AND src_port:$src_port$ AND dest_port:$dest_port$
Timestamp UsedWhether the query uses a timestamp✔️Yes
Timestamp FieldThe field that contains the timestamp✔️@timestamp
ReplacementsThe replacements that should be applied to the query. See Replacements for more information
Reading RolesThe roles that are allowed to read the bucket configuration and subsequently run queries towards it✔️elasticspl_admin
Writing RolesThe roles that are allowed to write the bucket configuration. Writing is furthermore restricted to elasticspl_admin, sc_admin and admin roles✔️elasticspl_admin
SharingThe sharing configuration of the bucket✔️App

Creating a Query

To create a new query, open the Query tab and click on the Add Query button in the top right corner. Fill out the form and click on Add. The query can be used in the Workbench and the corresponding search commands.

Query Add

Updating a Query

To update a query, open the Query tab and click on the Update button in the row of the query that should be updated. Fill out the form and click on Update. The query can be used in the Workbench and the corresponding search commands.

It is not possible to change the name of a query. If the name of a query should be changed, the query has to be deleted and a new query with the desired name has to be created.

Query Update

Deleting a Query

To delete a query, open the Query tab and click on the Delete button in the row of the query that should be deleted. Confirm the deletion by clicking on Delete.

No Undo

Deleting a query is irreversible. The query will be deleted.

Query Delete

Running a Query

The configuration page does not allow for directly running a query. Please use the Workbench as described in the Workbench section.