Reference: Filter syntax

Endpoint query filter syntax

Filter endpoint query requests using the following filter syntax.

ClosedGeneral Fields

You can filter on field values. Unless otherwise specified, define a filter object using the syntax:

{path: "field-path", value: "field-value"}

Use dot notation for sub-fields not at the root level.

For example, the following request filters and returns only endpoints whose primary user email address is [email protected]:

Copy
{
  endpoints(filter: {path: "primaryUser.email", value: "[email protected]"}) {
    edges {
      node {
        id
        primaryUser {
          email
        }
      }
    }
  }
}

ClosedComputer group membership

You can filter on membership in named computer groups. Define a filter object using the syntax:

{memberOf: {name: "computer-group-name"}}

For example, the following request filters and returns only endpoints that are members of the All Linux computer group:

Copy
{
  endpoints(filter: {memberOf: {name: "All Linux"}}) {
    edges {
      node {
        id
      }
    }
  }
}

ClosedSensors

Endpoint queries can filter on readings of arbitrary named sensors. Define a filter object using the syntax:

{sensor: {name: "sensor-name", value: "filter-value"}}

For example, the following request filters based on the Total Memory sensor returning a value of 16384 MB for endpoints, and returns only those endpoints:

Copy
{
  endpoints(filter: {sensor: {name: "Total Memory"}, value: "16384 MB"}) {
    edges {
      node {
        id
      }
    }
  }
}

ClosedParameterized sensors

You can also filter on parameterized sensors. Define a filter object using the syntax:

{sensor:
  {name: "sensor-name",
  params:[
    {name: "parameter-1-name", value: "parameter-1-value"},
    {name: "parameter-2-name", value: "parameter-2-value"},
    {name: "parameter-n-name", value: "parameter-n-value"}
  ]
},
  value: "filter-value"
}

Add a params name/value object for every parameter.

For example, the following request filters based on the Custom Tag Exists sensor, returning endpoints tagged with the custom tag the-tag, and returns only those endpoints:

Copy
{
  endpoints(filter: {sensor: {name: "Custom Tag Exists", params:[{name: "tag", value: "the-tag"}]}, value: "true"}) {
    edges {
      node {
        id
      }
    }
  }
}

ClosedMulti-column sensors

You can filter multi-column sensors by specifying the column name. Define a filter object using the syntax:

{sensor: {
  name: "sensor-name",
  column: "sensor-column-name"},
  value: "filter-value"}
}

For example, the following request filters based on the CPU Details sensor returning endpoints with an Intel CPU, and returns only those endpoints:

Copy
{
  endpoints(filter: {sensor: {name: "CPU Details", column: "CPU"}, value: "Intel"}) {
    edges {
      node {
        id
      }
    }
  }
}

If you want to select across multiple columns of each row of a multi-column sensor, define a filter.filters list, then define a list element for each column filter, using the following syntax:

filters: [
  {sensor: {column: "column-1-name"}, value: "column-1-value"},
  {sensor: {column: "column-2-name"}, value: "column-2-value"},
  {sensor: {column: "column-n-name"}, value: "column-n-value"}
]

You can only use a single level of child filters, and can only use the default EQ operator.

For example, the following request filters based on the CPU Details sensor returning endpoints with 4 total cores and an Intel CPU, and returns only those endpoints:

Copy
{
  endpoints(filter: {
    sensor: {name: "CPU Details"},
    filters: [
      {sensor: {column: "Total Cores"}, value: "4"},
      {sensor: {column: "CPU"}, value: "Intel"}
    ]
  }) {
    edges {
      node {
        id
      }
    }
  }
}

In this form, the sensor is identified in the top filter and the columns are identified in the child filters. You can only use a single level of child filters, and can only use the default EQ operator.

ClosedSensor readings

After you filter endpoints, you can filter your results to return data from additional sensors. As a child of the node object, define the sensor reading filter using the following syntax:

sensorReadings
  (sensors: [{name: "sensor-name"}]) {
    columns {
      column-1
      column-2
      column-n
    }

For example, the following request first filters endpoints and only returns endpoints with Firefox as an installed application, then for each endpoint, returns the results of the Is Linux sensor:

Copy
{
  endpoints(
    filter: {sensor: {name: "Installed Applications" column:"Name"}, op: CONTAINS, value: "firefox"}
  ) {
    edges {
      node {
        name
        ipAddress
        sensorReadings(sensors: [{name: "Is Linux"}]) {
          columns {
            sensor {name}
            name
            values
          }
        }
      }
    }
  }