BigPanda Query Language (BPQL)
Use tag values to build search and condition filters
A keyword search looks for a value in descriptions, source system names, incident comments and in any tag—in contrast to a BPQL query, which looks for a value in a specific tag. For tags that contain multiple values, a keyword search identifies matches if any of the values match the search term.
Where To Use BPQL
Use BPQL to construct advanced query strings:
- In the Incidents tab - Search incidents in the selected Environment and folder. You can search active incidents or incidents resolved in the last 24 hours.
- In the Search tab - Search current and historical monitoring data. You can filter incidents by Environment, source, and exact time period in the last 3 months.
- In the Correlation editor - Filter which alerts are correlated by the pattern.
- In the Changes section - Search for specific tag values in changes associated with the incident to help identify the incident's Root Cause.
Query Assist
Query Assist opens automatically when a user clicks a Search or Condition filter field where BPQL is enabled.
Suggested tags appear in the left pane. These suggestions are based on and ordered by tag creation time. Click Show More to view additional values. You can also type a value into the search box to filter the list by name.
Syntax help appears in the right pane and lists helpful definitions and examples. Hover over a tag or operator to populate information about that value in the Syntax Help pane.
Click the blue arrow at the right of Query Assist to collapse the Syntax Help portion and view only suggested values. Click the blue arrow again to expand the Syntax Help pane again.
Building Queries Using Query Assist
Begin building a query by typing the first tag name, or selecting one of the suggested values to populate it in the search box. Enter a space after the value to prompt Query Assist to move to the next step and display available operators for the query.
Use quotes (" or ') around an exact phrase that contains spaces. For example, to search for checks containing CPU over 90% you'd enter
check="CPU over 90%"You can use special characters between quotes.
Enter a space after the operator to prompt the query assist to move to the next step. It will display suggested tag values based on existing incidents and past searches.
When searching, hit enter or click the search magnifying glass when satisfied with your query.
When building a conditional filter, you will need to save the environment, pattern, or tag to save the query settings.
Enter a space after the tag value to create a more complex query using multiple conditions. Query assist will list available conditional operators. Select or enter the desired operator in the search field and hit enter to begin the prompt process for the second tag. Continue entering or selecting values until satisfied with your query.
Syntax Rules
Basic Queries
The basic syntax for a query with a single condition is: <tag> <operator> <value>. For example:
host = srv-ny-1
Tags and values are not case sensitive.
When searching for comments, you can use "comment" as a tag to search for comments specific to a particular incident.
Finding Tag Names
The available tags can vary based on the source system and integration. To find the tag names for an integration, you can view an alert in the BigPanda UI or reference the documentation on standard tags. On the Search tab, the search bar displays suggested tags and relevant system names as you type.
Multiple Conditions and Precedence of Operators (Parentheses)
For multiple conditions, use any combination of AND and OR to combine terms in a query. For example:
host=srv-1 AND check=chk-1
Use parentheses (( )) to set precedence to a part of the query. For example:
host=srv-1 AND (check=chk-1 OR check=chk-2 OR check=chk-3)
You can use nested parentheses. For example:
host=srv-1 AND (check=chk-1 OR (check=chk-2 AND status=critical))
Tag Names with Spaces and Special Characters
Spaces, periods, and special characters are not supported when querying tag names. When creating multi-word tags, spaces should be removed or replaced with underscores. To learn more, see the Tag Naming Requirements in our Enrichment user guide.
| Tag Name | Searchable |
|---|---|
servicelevel | Yes |
service_level | Yes |
service level | No |
service.level | No |
servicelevel! | No |
Reserved Words
BPQL does not support the use of most BigPanda Reserved Words such as
incident_identifierorprimary_property
source_systemcan be used in BPQL to create correlation patterns, custom tags, and unified searches.
descriptioncan be used in BPQL to create extraction enrichment tags.
Value Phrases with Spaces
Use quotes (" or ') around an exact phrase that contains spaces. Spaces are allowed only between quotes. For example, to search for checks containing CPU over 90%:
check="CPU over 90%"
You can use special characters between quotes.
Wildcards
Use an asterisk as a wildcard to match multiple values that contain a common element. For example, to search for hosts that end with .host1.com.
host=*.host1.com
To search for hosts that start with db and end with .domain1.com.
host=db*.domain1.com
To search for hosts that contain prod:
host=_prod_
Asterisks will function as wildcards even if enclosed in quotes (" or ')
Special Characters
Use quotes (" or ') around an exact phrase that contains any of the following special characters:
= " ' | : \ / ( ) { } [ ] ^ ~ ? , < >`
For example, to search for a specific URL:
url="<https://my.domain.com/businessapp">
The special characters within quotes will act as literal text.
Regular Expressions (Regex)
Use a slash (/) as the first and last character to search for values that match a regex; for example, host = /<regex pattern>/.
Use a regex to find values that match a certain pattern. For example, this regex query looks for host values with any three characters followed by abc then by any 3 digits:
host=/...abc[0-9]{3}/
Regex queries are limited to 32,000 characters or less; values above this limit are trimmed.
Regex Syntax
BigPanda searches follow the Elasticsearch Regular Expression Syntax. This syntax has some differences compared to other common regex engines, including:
- Values are case sensitive. Patterns must be entered with the correct character case for the query to match. Other searches in BigPanda, including wildcards and exact phrases, are case insensitive.
- Queries require the entire pattern to obtain a match. Regex queries do not match on partial patterns because the start (
^) and end patterns ($) are always assumed.- Queries with
\s,\d, or\ware not supported.
Search for Tags with Empty Values
A specific regex search syntax needs to be used when searching for tags with empty values:
host != /[a-zA-Z0-9]+/
Operators
| Operator | Description | Example |
|---|---|---|
| = : | Equals | host=srv-ny-1host:srv-ny-1 |
| != | Not equal | host!=srv-ny-1 |
| === | Strict match; true for all alerts in an incident | host===srv-1 |
| IN in | Equal to one of the values in a list | host IN [srv-1, srv-2]host in [srv-1, srv-2] |
| NOT IN not in | Not equal to any of the values in a list | host NOT IN [srv-1, srv-2]host not in [srv-1, srv-2] |
| OR or | At least one of the conditions is true | host=srv-1 OR host=srv-2host=srv-1 or host=srv-2 |
| AND and | All of the conditions are true | host=srv-1 AND check=chk-1host=srv-1 and check=chk-1 |
Strict Match vs. Equals
Strict match criteria must be met by all alerts within an incident, while an equals (=) search finds incidents that have at least one matching alert, even if other alerts do not match the criteria.
For example:
If the strict match criteria is host==="prod-1"
Incidents where all alerts are from the prod-1 host are listed as results.
Any incidents where only some of the alerts match do not appear in the results.
The below table compares a strict match and an equals search results for this query:
| Example Incidents | Strict Match (host==="prod-1") | Equals Match (host="prod-1") |
|---|---|---|
| Incident 1 contains: Alert 1 on host = prod-1 Alert 2 on host = prod-1 - Alert 3 on host = prod-1 |  | |
| Incident 2 contains: Alert 1 on host = prod-1 Alert 2 on host = prod-2 - Alert 3 on host = prod-1 |  | |
Strict match considers all alerts in the incident regardless of status
Strict match considers both active and inactive alerts in an incident. If the active alerts in an incident meet the criteria and the inactive alerts don't, the incident does not match.
Keyword Searches
A keyword search looks for a value in descriptions, source system names, and in any tag—in contrast to a BPQL query, which looks for a value in a specific tag. For tags that contain multiple values, a keyword search will return a match if any of the values match the search term.
You can use an asterisk (*) as a wildcard to match multiple values that contain a common element.
For example:
phx*db
would return for both phx.db and phx!db
Keyword searches can find exact search terms between special characters without using wildcards. For example, if you search for
api, it matches all tags, source system names, and descriptions whereapiis present between special characters, such asprod-api-1andweb-api. You do not need to use wildcards; for example,_api_.
You can use quotes (" or ') around an exact phrase that contains spaces. Spaces are allowed only between quotes. For example:
"CPU over 90*"
You can use a slash (/) as the first and last character to search for values that match a regex. Regular expressions are case sensitive and are limited to 32,000 characters. For example:
/...Phx[0-9]{3}/
Next Steps
Learn about searching in BigPanda using the Unified Search Tab
Learn how to create Correlation Patterns using BPQL.
Find information about BigPanda Formula Language (BPFL)
Updated about 2 months ago