Use the query filter specs below in API requests that provide filtering capabilities. The filter string must be specified as an expression or list of expressions.
Filters must be specified using the following grammar:
An expression has the general form:
<field>contains a space or a colon must be enclosed by double quotes.
<operator>could be equality or relational operators, and follows specification as below:
The equality operator
"="is defined only for string fields.
The prefix match operator
":"is defined only for string fields.
The relational operators
"<" | ">" | "<=" | ">="are defined only for timestamp fields.
<value>supplied should be
stringthat may be in
Timestampformat depending on the
<value>contains a space or a colon it must be enclosed in double quotes.
Expressions may be joined to form a more complex query. The BNF specification is:
The precedence of joining operations, from highest to lowest, is NOT, AND, OR.
Given below are some example filters. Note that the actual fields supported may vary between
the different versions of the API. For filter columns available in
v1beta1 see here.
To query for all alerts created on or after April 5, 2018:
createTime >= "2018-04-05T00:00:00Z"
To query for all alerts from the source "Gmail phishing":
To query for all alerts from a source which starts with "Gmail":
To query for all alerts which started in 2017:
startTime >= "2017-01-01T00:00:00Z" AND startTime <
To query for all user reported phishing alerts from the source "Gmail phishing":
type="User reported phishing" source="Gmail phishing"