Skip to main content

Query Language Filters

You can create queries against information that is available in your Prisma Access Insights tenant. These rules are supplied as boolean expressions that are applied to information found in the dataset. Each such boolean expression includes a numeric, string, or date operator. Multiple filter rules can also be evaluated using boolean operators.

For example:

"filter":{
"rules":[
{
"property":"state_instance",
"operator":"in",
"values":[0,1,2]
},
{
"property":"user_type",
"operator":"in",
"values":["gp"]}
]
},

Numeric Operators

When the field type requires a number, the following operators are supported. You cannot include wildcards in these operators.

Example:

"filter":{
"rules":[{
"property":"node_type",
"operator":"equals",
"values":[48]
},
  • equal <value>

    Match a value exactly.

  • greater <value>

    Match a value greater than the specified number.

  • greateror_equal <_value>

    Match a value greater than or equal to the specified number.

  • in <value>[, <value> ...]

    Match a value that contains the specified number. To specify more than one number, separate them with commas.

  • less <value>

    Match a value less than the specified number.

  • lessor_equal <_value>

    Match a value less than or equal to the specified number.

  • notequal <_value>

    Match all values except the specified number.

  • notin <_value>[, <value> ...]

    Match all values except those that contain the specified number. To specify more than one number, separate them with commas.

String Operators

When the field type requires a text string, use one of the following supported operators. You cannot include wildcards in these operators.

Example:

{
"property":"user_type",
"operator":"in",
"values":["gp"]
}
  • equal <value>

    Match a value exactly.

  • in <value>[, <value> ...]

    Match a value in an array. To specify more than one number, separate them with commas.

  • notequal <_value>

    Match all values except the specified string.

  • notin <_value>[, <value> ...]

    Match all values except those that contain the specified string. To specify more than one string, separate them with commas.

Date Operators

When the field type requires a date or time, use one of the following supported operators:

  • between date1, date2

    Time range, starting at date1 and ending at date2. Specify the date in the format epoch-time.

  • last_n_days

    Last number of days from the current time. For example,

  • last_n_hours

    Last number of hours from the current time. For example,

  • last_n_weeks

    Last number of weeks from the current time.

Boolean Operators

  • AND

    Record must match all rules.

  • OR

    Record must match at least one rule.

State Filter Values

Tunnel State

State IDState Name
0Init
1Up
2Inactive
3Down

Site State

State IDState Name
0Down
1Up
2Warning

Location State

State IDState Name
0Down
1Up
2Warning

Instance/Node State

State IDState Name
0Down
1Up
2Inactive

Node Types

Node Type IDNode Type Name
47Hub
48Firewall/remote network
49Mobile user gateway
50Mobile user portal
51Service connection
153Explicit proxy

Firewall HA

State IDState Name
0None
1Passive
2Active

Monitoring State

State IDState Name
0Down
1Up
2Not configured

User Types

User Type IDUser Type Name
epExplicit Proxy
gpGlobalProtect

Edge Location Display Name

See Prisma Access Locations.

Mobile User Connection State

Connection StateMobile User State
CONNECTEDMobile user in connected state
CONNECT_CONTINUE

Severity (Alerts)

Severity IDSeverity ID Mapping Values
High4
Medium3
Low2
Informational1

Alert Filter Details

Alert FilterDescription
alert_idUnique alert ID
raised_timeexample: 2021-07-02 23:12:13 UTC
updated_timeexample: 2021-07-03 23:12:13 UTC
stateValues can be Raised or Cleared
categoryAlert category, such as Remote Networks (RN), Service Connections (SC)
codeUnique alert code, such as AL_SC_PRIMARY_TUNNEL_DOWN
customerApp(optional) If set to True, only external alerts are processed. If set to False, both external and internal alerts are processed.