Understanding Enrichment
Also available as:
PDF

Use Stellar for Queries

You can use Stellar to create queries.

The Stellar query language supports the following:

  • Referencing fields in the enriched JSON

  • Simple boolean operations: and, not, or

  • Simple arithmetic operations: *, /, +, - on real numbers or integers

  • Simple comparison operations <, >, <=, >=

  • if/then/else comparisons (in other words, if var1 < 10 then 'less than 10' else '10 or more')

  • Determining whether a field exists (via exists)

  • The ability to have parenthesis to make order of operations explicit

  • User defined functions

The following is an example of a Stellar query:

IN_SUBNET( ip, '192.168.0.0/24') or ip in [ '10.0.0.1', '10.0.0.2' ] or exists(is_local)

This query evaluates to “true” when one of the following is true:

  • The value of the ip field is in the 192.168.0.0/24 subnet.

  • The value of the ip field is 10.0.0.1 or 10.0.0.2.

  • The field is_local exists.