BigPanda Query Language (BPQL) is used for complex incident investigation and correlation pattern building in BigPanda. BPQL is necessary when searching or filtering using specific criteria. BPQL allows you to search for specific values in custom or standard tags, as opposed to general keyword searches which are much broader. Use BPQL to construct advanced search query strings and conditions to help you quickly diagnose problems and manage your infrastructure effectively.

Where To Use BPQL

Use BPQL to construct advanced query strings:

• In the Incidents tab - Search incidents in the selected Environment and folder. You can search active incidents or incidents resolved in the last 24 hours.
• In the Search tab - Search current and historical monitoring data. You can filter incidents by Environment, source, and exact time period in the last 3 months.
• In the Correlation editor - Filter which alerts are correlated by the pattern.
• In the Changes section - Search for specific tag values in changes associated with the incident to help identify the incident's Root Cause.

Query Assist

Query Assist opens automatically when a user clicks a Search or Condition filter field where BPQL is enabled.

Suggested tags appear in the left pane. These suggestions are based on and ordered by tag creation time. Click Show More to view additional values. You can also type a value into the search box to filter the list by name.

Syntax help appears in the right pane and lists helpful definitions and examples. Hover over a tag or operator to populate information about that value in the Syntax Help pane.

Click the blue arrow at the right of Query Assist to collapse the Syntax Help portion and view only suggested values. Click the blue arrow again to expand the Syntax Help pane again.

Building Queries Using Query Assist

Begin building a query by typing the first tag name, or selecting one of the suggested values to populate it in the search box. Enter a space after the value to prompt Query Assist to move to the next step and display available operators for the query.

📘

Use quotes (" or ') around an exact phrase that contains spaces. For example, to search for checks containing CPU over 90% you'd enter check="CPU over 90%"

You can use special characters between quotes.

Enter a space after the operator to prompt the query assist to move to the next step. It will display suggested tag values based on existing incidents and past searches.

When searching, hit enter or click the search magnifying glass when satisfied with your query.

When building a conditional filter, you will need to save the environment, pattern, or tag to save the query settings.

Enter a space after the tag value to create a more complex query using multiple conditions. Query assist will list available conditional operators. Select or enter the desired operator in the search field and hit enter to begin the prompt process for the second tag. Continue entering or selecting values until satisfied with your query.

Syntax Rules

Basic Queries

The basic syntax for a query with a single condition is: <tag> <operator> <value>. For example:
host = srv-ny-1

Tags and values are not case sensitive.

When searching for comments, you can use "comment" as a tag to search for comments specific to a particular incident.

👍

Finding Tag Names

The available tags can vary based on the source system and integration. To find the tag names for an integration, you can view an alert in the BigPanda UI or reference the documentation on standard tags. On the Search tab, the search bar displays suggested tags and relevant system names as you type.

Multiple Conditions and Precedence of Operators (Parentheses)

For multiple conditions, use any combination of AND and OR to combine terms in a query. For example:
host=srv-1 AND check=chk-1

Use parentheses (( )) to set precedence to a part of the query. For example:
host=srv-1 AND (check=chk-1 OR check=chk-2 OR check=chk-3)

You can use nested parentheses. For example:
host=srv-1 AND (check=chk-1 OR (check=chk-2 AND status=critical))

Tag Name Search Restrictions

Spaces, periods, and special characters are not supported when querying tag names. When creating multi-word tags, spaces should be removed or replaced with underscores.

BPQL also does not support the use of most BigPanda Reserved Words such as incident_identifier or primary_property

source_system can be used in BPQL to create correlation patterns, custom tags, and unified searches.
description can be used in BPQL to create extraction enrichment tags.

To learn more, see Tag Naming Requirements.

Value Phrases with Spaces

Use quotes (" or ') around an exact phrase that contains spaces. Spaces are allowed only between quotes. For example, to search for checks containing CPU over 90%:
check="CPU over 90%"

You can use special characters between quotes.

Wildcards

Use an asterisk as a wildcard to match multiple values that contain a common element. For example, to search for hosts that end with .host1.com.
host=*.host1.com

To search for hosts that start with db and end with .domain1.com.
host=db*.domain1.com

To search for hosts that contain prod:
host=_prod_

Asterisks will function as wildcards even if enclosed in quotes (" or ')

Special Characters

Use quotes (" or ') around an exact phrase that contains any of the following special characters:
= " ' | : \ / ( ) { } [ ] ^ ~ ? , < >`

For example, to search for a specific URL:
url=<"https://my.domain.com/businessapp">

The special characters within quotes will act as literal text.

Regular Expressions (Regex)

Use a slash (/) as the first and last character to search for values that match a regex; for example, host = /<regex pattern>/.

Use a regex to find values that match a certain pattern. For example, this regex query looks for host values with any three characters followed by abc then by any 3 digits:
host=/...abc[0-9]{3}/

Regex queries are limited to 32,000 characters or less; values above this limit are trimmed.

📘

Regex Syntax

BigPanda searches follow the Elasticsearch Regular Expression Syntax. This syntax has some differences compared to other common regex engines, including:

• Values are case sensitive. Patterns must be entered with the correct character case for the query to match. Other searches in BigPanda, including wildcards and exact phrases, are case insensitive.
• Queries require the entire pattern to obtain a match. Regex queries do not match on partial patterns because the start (^) and end patterns ($) are always assumed.
• Queries with \s, \d, or \w are not supported.

Search for Tags with Empty Values

A specific regex search syntax needs to be used when searching for tags with empty values:
host != /[a-zA-Z0-9]+/

Operators

Strict Match vs. Equals

Strict match criteria must be met by all alerts within an incident, while an equals (=) search finds incidents that have at least one matching alert, even if other alerts do not match the criteria.

For example:

If the strict match criteria is host==="prod-1"

Incidents where all alerts are from the prod-1 host are listed as results.

Any incidents where only some of the alerts match do not appear in the results.

The below table compares a strict match and an equals search results for this query:

❗️

Strict match considers all alerts in the incident regardless of status

Strict match considers both active and inactive alerts in an incident. If the active alerts in an incident meet the criteria and the inactive alerts don't, the incident does not match.

Next Steps

Learn how to Search for Incidents in BigPanda.

Learn how to create Correlation Patterns using BPQL.

Find information about BigPanda Formula Language (BPFL)