Event Query Language Reference

The search query supports the query languages: EQL and the LogLogic LMI SQL dialect.

The EQL query is composed of different parts separated by pipe ( | ) character. The pipe delimiter is used to separate the expression and each subsequent expression. Each pipe-delimited expression further processes search results from the preceding expression. For more structured queries, a subset of SQL is supported that is mainly focused on the SELECT statement. Both languages are supported in LogLogic LMI, but you cannot use a mix of both languages in the same query. All that is available in EQL can be achieved via SQL and vice versa except the following differences:
  • EQL supports the full text search statement, but SQL does not support this statement. For details, see FILTER Statement.
  • Multiple EQL filter expression statements, separated by a pipe, get automatically combined using the AND operator into a single filter expression. SQL does not support this feature.

The EQL and SQL language rules are based on a Backus-Naur Form (BNF)-like notation as follows:

<symbol> ::= <expression> ;

where:

  • Non-terminal symbols in syntax rules have angle brackets (< >). For example, in the rule <expression> ::= <expression> "+" <integer>; the <expression> is a non-terminal symbol and the rule specifies that as an expression is the addition of any number of integers.
  • Terminal symbols are shown in double quotes (" "). For example, the "+" in the previous example.
  • As an additional shortcut notation to BNF, optional symbols (that can occur zero or one times) are followed by a question mark (?). For example, in the rule <colNameForSort> ::= <colname> (ASC| DESC)?; a column name used for sort is a column name optionally followed by the keywords ASC or DESC.
  • Optional symbols that can occur zero or any number of times are followed by an asterisk (*). For example, in the rule <itemList> ::= <item> ("," <item>)*; an itemList can contain one or more comma separated items.
  • Multiple symbols are grouped together using parenthesis ( ) when some common operation is applied, for example, the selection of one member of the group, or to indicate that the entire group can be repeated zero or more times. An example is shown in the previous bullet item.
  • Words that are all capitalized represent keywords (special terminal symbols). For example, the keywords ASC and DESC in the column name for sort described in the previous example.

All parts of the query are optional, but overall the syntax is:

<EQL_statement> ::= <statement> ("|" <statement> )* ;
<statement> ::= <useStatement> | <filterStatement> | <groupByStatement> |
<columnsStatement> | <sortStatement> | <limitStatement>;

String literals and identifiers (including keyspace, column family names, and data model names) are case sensitive but all EQL keywords are not case sensitive. For example, 'USE Windows' and 'use Windows' are treated in the same way.

String literal can be quoted with single (') or double (") quotation marks. The quotation marks (single or double) inside the string literal has to be prefixed with backslash ( \ ) character. The \ character change to be prefixed with another backslash ( \\ ). For example, "Mike's car" or 'Mike\'s car'.

A special syntax for time range can be used. For details, see Time Range Expressions.

Note: In this syntax reference topic, EQL keywords are mentioned in upper case letters for easy readability.

Examples

Expression Definition
sys_sourceType = 65536 and sys_eventTime in -5d | columns sys_eventTime, sys_collectIP, ll_eventStatus Events from source type '65536' in last 5 days, display result as a table with columns sys_eventTime, sys_collectIP, and ll_eventStatus
USE Microsoft_Windows | ll_eventAction ='A user account was enabled.' | sys_eventTime IN -1h Using the data model Microsoft Windows, display results of all events where a user account was enabled during the past hour.