BigPanda Query Language (BPQL)

Use tag values to build search and condition filters

BigPanda Query Language (BPQL) is used for complex incident investigation and correlation pattern building in BigPanda. BPQL is necessary when searching or filtering using specific criteria. BPQL allows you to search for specific values in custom or standard tags, as opposed to general keyword searches which are much broader. Use BPQL to construct advanced search query strings and conditions to help you quickly diagnose problems and manage your infrastructure effectively.

Where To Use BPQL

Use BPQL to construct advanced query strings:

Query Assist

Query Assist opens automatically when a user clicks a Search or Condition filter field where BPQL is enabled.

Query Assist

Query Assist

Suggested tags appear in the left pane. These suggestions are based on and ordered by tag creation time. Click Show More to view additional values. You can also type a value into the search box to filter the list by name.


Recent Tags Only

Dropdowns only include alert tags that have been updated or included in an alert in the last 90 days. To use an older tag, simply type the tag name.

Syntax help appears in the right pane and lists helpful definitions and examples. Hover over a tag or operator to populate information about that value in the Syntax Help pane.

Click the blue arrow at the right of Query Assist to collapse the Syntax Help portion and view only suggested values. Click the blue arrow again to expand the Syntax Help pane again.

Building Queries Using Query Assist

Begin building a query by typing the first tag name, or selecting one of the suggested values to populate it in the search box. Enter a space after the value to prompt Query Assist to move to the next step and display available operators for the query.


Use quotes (" or ') around an exact phrase that contains spaces. For example, to search for checks containing CPU over 90% you'd enter check="CPU over 90%"

You can use special characters between quotes.


Incident Tag ID

Incident tags and some incident metadata can be used to search and filter incidents. Standard incident tags that can be searched include source_system, status, assignee, assigner, severity, zero_impact, is_active, comment. See the Tag Naming documentation for a list of system limitations tied to specific tags.

To search or define BPQL conditions using incident tags, you need to use the Incident Tag ID rather than the incident tag name.

To see the incident tag ID, click an incident tag name in Query Assist. The tag ID is then populated in the search bar or input field.

Enter a space after the operator to prompt the query assist to move to the next step. It will display suggested tag values based on existing incidents and past searches.

When searching, hit enter or click the search magnifying glass when satisfied with your query.

When building a conditional filter, you will need to save the environment, pattern, or tag to save the query settings.

Enter a space after the tag value to create a more complex query using multiple conditions. Query assist will list available conditional operators. Select or enter the desired operator in the search field and hit enter to begin the prompt process for the second tag. Continue entering or selecting values until satisfied with your query.

Syntax Rules

Basic Queries

The basic syntax for a query with a single condition is: <tag> <operator> <value>. For example:
host = srv-ny-1

Tags and values are not case sensitive.

When searching for comments, you can use "comment" as a tag to search for comments specific to a particular incident.


Finding Tag Names

The available tags can vary based on the source system and integration. To find the tag names for an integration, you can view an alert in the BigPanda UI or reference the documentation on standard tags. On the Search tab, the search bar displays suggested tags and relevant system names as you type.

Multiple Conditions and Precedence of Operators (Parentheses)

For multiple conditions, use any combination of AND and OR to combine terms in a query. For example:
host=srv-1 AND check=chk-1

Use parentheses (( )) to set precedence to a part of the query. For example:
host=srv-1 AND (check=chk-1 OR check=chk-2 OR check=chk-3)

You can use nested parentheses. For example:
host=srv-1 AND (check=chk-1 OR (check=chk-2 AND status=critical))

Tag Name Search Restrictions

Spaces, periods, and special characters are not supported when querying tag names. When creating multi-word tags, spaces should be removed or replaced with underscores.

BPQL also does not support the use of most BigPanda Reserved Words such as incident_identifier or primary_property

source_system can be used in BPQL to create correlation patterns, custom tags, and unified searches.
description can be used in BPQL to create extraction enrichment tags.

To learn more, see Tag Naming Requirements.

Value Phrases with Spaces

Use quotes (" or ') around an exact phrase that contains spaces. Spaces are allowed only between quotes. For example, to search for checks containing CPU over 90%:
check="CPU over 90%"

You can use special characters between quotes.


Use an asterisk as a wildcard to match multiple values that contain a common element. For example, to search for hosts that end with

To search for hosts that start with db and end with

To search for hosts that contain prod:

Asterisks will function as wildcards even if enclosed in quotes (" or ')

Special Characters

Use quotes (" or ') around an exact phrase that contains any of the following special characters:
= " ' | : \ / ( ) { } [ ] ^ ~ ? , < >`

For example, to search for a specific URL:

The special characters within quotes will act as literal text.

Regular Expressions (Regex)

Use a slash (/) as the first and last character to search for values that match a regex; for example, host = /<regex pattern>/.

Use a regex to find values that match a certain pattern. For example, this regex query looks for host values with any three characters followed by abc then by any 3 digits:

Regex queries are limited to 32,000 characters or less; values above this limit are trimmed.

Regex Syntax

BigPanda searches follow the Elasticsearch Regular Expression Syntax. This syntax has some differences compared to other common regex engines, including:

  • Values are case sensitive. Patterns must be entered with the correct character case for the query to match. Other searches in BigPanda, including wildcards and exact phrases, are case insensitive.
  • Queries may return the entire pattern or partial pattern depending upon the screen they are used in. If a query is performed on a screen where start (^) and end ($) characters are always assumed, partial matches will not be returned. If a query is performed on a screen that supports the inclusion of the start (^) and end ($) characters in the query, the query will return partial matches by default and you must include the characters to perform an exact match. See the Start and End Pattern Support table below for more information.
  • Queries with \s, \d, or \w are not supported.

Start (^) and End ($) Pattern Support

Search for Tags with Empty Values

A specific regex search syntax needs to be used when searching for tags with empty values:
host != /[a-zA-Z0-9]+/


!=Not equalhost!=srv-ny-1
===Strict match; true for all alerts in an incidenthost===srv-1
Equal to one of the values in a listhost IN [srv-1, srv-2]
host in [srv-1, srv-2]
not in
Not equal to any of the values in a listhost NOT IN [srv-1, srv-2]
host not in [srv-1, srv-2]
At least one of the conditions is truehost=srv-1 OR host=srv-2
host=srv-1 or host=srv-2
All of the conditions are truehost=srv-1 AND check=chk-1
host=srv-1 and check=chk-1

Strict Match vs. Equals

Strict match criteria must be met by all alerts within an incident, while an equals (=) search finds incidents that have at least one matching alert, even if other alerts do not match the criteria.


Incident-Level Functionality

Strict match applies only to incidents, not alerts. Product elements that apply to alerts (such as Alert Enrichment or Alert Filtering) do not support strict matching within BPQL conditions.

For example:

If the strict match criteria is host==="prod-1"

Incidents where all alerts are from the prod-1 host are listed as results.

Any incidents where only some of the alerts match do not appear in the results.

The below table compares a strict match and an equals search results for this query:

Example IncidentsStrict Match (host==="prod-1")Equals Match (host="prod-1")
Incident 1 contains:
Alert 1 on host = prod-1
Alert 2 on host = prod-1

- Alert 3 on host = prod-1
Incident 2 contains:
Alert 1 on host = prod-1
Alert 2 on host = prod-2

- Alert 3 on host = prod-1


Strict match considers all alerts in the incident regardless of status

Strict match considers both active and inactive alerts in an incident. If the active alerts in an incident meet the criteria and the inactive alerts don't, the incident does not match.


Strict match syntax will only work with alert tags. Strict match for incident tags is not supported.

Next Steps

Learn how to Search for Incidents in BigPanda.

Learn how to create Correlation Patterns using BPQL.

Find information about BigPanda Formula Language (BPFL)