Learn more about Nested Queries
Click here to see this page in full context


Home

Learn more about Nested Queries

Best Practices

(1) Use nested queries when tokens have a shared key, in this example "instance".

resource.type:Instance and instance: (type:t2.micro and state:stopped)

(2) Consider the intent of your query.

Query 1: This will return controls that have High criticality and the control result is Fail. A control is returned only when it matches both criteria.

control: (criticality:HIGH and result:FAIL)

Query 2: This will return all controls with High criticality and all controls with Fail result. A control is returned when it matches only one criteria.

control.criticality:HIGH and control.result:FAIL

(3) When your query is nested, enter the entire shared key first for best results.

Query 1: Entire shared key is "routetable.route" (preferred format)

routetable.route: (state:active and instanceOwnerId:aws-acct-joe)

Query 2: Partial shared key is "route"

routetable: (route.state:active and route.instanceOwnerId:aws-acct-joe)

(4) Keep in mind a nested query (preferred format) will have shared key "routetable" in some cases.

This will return route tables with active state and vpc Id "vpc-2da7154b".

routetable: (route.state:active and vpcId:vpc-2da7154b)

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.