Filtering data using the Wazuh Query Language
The query language to use depends on where the data is coming from:
Wazuh API
Wazuh indexer
Wazuh API queries
The WQL search bars found in various sections of the Wazuh dashboard, use the Wazuh Query Language to query the API. This language is based on the Wazuh API query language.
There are two query modes:
explicit: The search contains a field, an operator, and a value.
search term: Uses a term to search in the available fields.
Explicit queries
These queries include a field, an operator and a value. This mode is activated when both a field value and an operator are present.
Field name: Field name to filter by. If an incorrect field name is used, a validation error is displayed.
Operator: Operator to filter by. The available operators are:
=
: equality.
!=
: not equality.
<
: smaller.
>
: bigger.
~
: like as.
()
: grouping operators. Group queries.Value: Value to filter by.
For values without spaces, no additional formatting is necessary.
Values with spaces or containing the double quote character
"
must be wrapped by a pair of double quotes""
. The double quote"
can be escaped using\"
. For example,"value with whitespaces and escaped \"quotes\""
.Separator: Operator to join multiple "queries".
or
: represents anOR
.
and
: represents anAND
.Note
The tokens can be separated by whitespaces.
Note that some search bars include an implicit filter, that is added to the user query. For example, the search bar in the Agents section includes the id!=000
filter.
Search term queries
Use a term to search in the available fields. Under the hood, this search is translated to query in each field supported by the explicit mode using the like as operator ~
.
Warning
The explicit and search term modes can't be combined.
Query examples
Explicit mode
Filter by entities whose
id
is equal to a specific value:id=001
Note
It is possible to use whitespaces between the tokens.
id = 001
To get more precise results, use a query with multiple statements using the logical operators and
or or
and grouping operators ()
.
Filter active agents whose
os.platform
contains Linux:status=active and os.platform~linux
Filter agents whose status is not
Never connected
, whose IP address contains240
, and whose operating system is Linux:status!=never_connected and ip~240 and os.platform~linux
Filter agents whose status is not
Never connected
and whose IP address contains240
, or agents whoseid
is equal to001
:( status!=never_connected and ip~240 ) or id=001
Search term mode
Search the term
linux
in the available fields:
linux
Wazuh Indexer
In the Wazuh dashboard, there are specialized search bars for querying Wazuh indexer data. These use the same syntax as OpenSearch. To learn more, refer to Using Dashboards Query Language.