Data eXploration Query Language (DXQL)
Data Exploration Query Language (DXQL)
Requires Python 3.7
- Import dxql.search.Pipeline into your project
- Instantiate a Pipeline using Pipeline.create_pipeline(query-string)
- Use the new pipeline to search over an iterable of dicts using pipeline.execute(events)
from dxql.search import Pipeline pipeline = Pipeline.create_pipeline('search ip=192.168.1.10') results = pipeline.execute(events)
events can be any iterable. To search a file, just pass the opened file to
pipeline.execute(). Each line of the file will be considered an event.
# myfile.json is a file where each line is a JSON dictionary with open('myfile.json') as file: results = pipeline.execute(file)
Searching is inspired by Splunk's query language.
Throughout the rest of this document, I will use the terms "search" and "query" interchangebly.
A query can consist of multiple commands separated by a pipe (
|). Imagine a multiple-command search as a "pipeline" where each command is applied to the data in turn, with the data being fed from one command to the next until the end of the pipeline.
There are four commands available:
search command allows you to filter the data using key-value pairs and modifiers like
NOT. It must be the first command in the query.
<comparison-expression> | NOT <expression> | <expression> OR <expression>
= | != | < | <= | > | >=
Retrieving data from an index
This search will return all data from the
Retrieving GeoIP data for specific IPs
OR modifier to specify multiple values for a field.
search index=geoip ip=192.168.1.10 OR ip=192.168.1.11
Retrieving GeoIP data for all IPs except one
search index=geoip ip!=192.168.1.15
search index=geoip NOT ip=192.268.1.15
Retrieving data for a specific IP from multiple indices
It is not required to search by index.
The above search will return data with
ip=192.168.1.15 from all indices (in this case, data from indices
ip_rdap will be returned; events in
rdap do not contain an
fields command allows you to display only the fields you want to see.
Remove all fields from the results except for
search index=geoip | fields ip continent_name
join command allows you to join data together by a field (the "by-field"). Each event that shares the same value for the by-field is joined together under one event. This allows you to join data from two disparate data sources.
join BY <by-field>
Join an IP with its associated RDAP data using the
search index=ip_rdap OR index=rdap | join BY handle
handle is the 'by-field', the field that is shared by the different kinds of data.
prettyprint command may only be used as the last command in the search. It allows you to print the result set in a prettier fashion than plain JSON blobs.
json | table
Print results as pretty JSON
format=json still prints each result as JSON but with newlines and indentation.
search index=rdap | prettyprint format=json
Print results as a table
format=table prints the results as a formatted table.
search index=rdap | prettyprint format=table
If there are a lot of fields in the result set, the results will overflow onto the next line(s); therefore, it is recommended to pare down unwanted fields using
fields before using
prettyprint format=table. This happens expecially when joining
rdap data together. Many IPs share the same
rdap data, so the IP values will become very long. I recommend specifying the IP(s) you are interested in before doing the
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size dxql-0.0.6-py3-none-any.whl (12.6 kB)||File type Wheel||Python version py3||Upload date||Hashes View hashes|
|Filename, size dxql-0.0.6.tar.gz (8.0 kB)||File type Source||Python version None||Upload date||Hashes View hashes|