EQL: SKOOR Engine query language

Objects can be searched or the currently visible list of objects can filtered using the SKOOR Engine Query Language EQL. The command line is hidden by default but can be opened/closed by clicking the EQL button in the lower right corner of either the left or right window pane depending on the context:

The EQL command line is implemented in configuration view but can also be used within the admin view search. For example, to view all ICMP jobs below the current object, enter the following EQL query in the query input field:

Syntax

COMMAND Object-type WHERE variable Operator value [AND|OR variable Operator value]

COMMAND	`GET / CHECK / START / STOP / DELETE / SET / RESET`
`Object-type`	`device, job, SLO, ...` or `*` for any
`WHERE`	Key word
`Variable`	The following variables require a string as value: `Name`, `subtype`, `address`, `netmask`, `property("propertyname")` The following variable requires a numerical value: `id` The following variable requires a state as value: `state`
`Operator`	`=`, `!=`, `~=`, `^=`, etc. (see below)
`Value`	A string (with quotes `"..."`), a number (without quotes) or a state (without quotes). Strings (in quotes) are parsed like C strings and must be escaped in the same way. The regex `"\d{2}$"` has to be antered as `"\\d{2}$"`. `\n`, `\b` etc. may also be used (`"\n"` is used to escape a `"newline"`).
`AND / OR`	Keyword for multiple `WHERE` conditions

EQL commands

GET

list objects

Additional EQL commands for jobs

Command	Function
`CHECK`	Execute `check now` operation on jobs
`START`	Start job(s)
`STOP`	Stop job(s)
`DELETE`	Delete job(s) (only for users of type Administrator)
`SET TO OK`	Set the state of the job(s) to `OK`
`SET TO WARNING`	Set the state of the job(s) to `Warning`
`SET TO MINOR`	Set the state of the job(s) to `Minor`
`SET TO NO DATA`	Set the state of the job(s) to `No Data`
`SET TO MAJOR`	Set the state of the job(s) to `Major`
`SET TO UNDEFINED`	Set the state of the job(s) to `Undefined`
`SET TO MAINTENANCE OK`	Set the state of the job(s) to `Maintenance OK`
`SET TO MAINTENANCE WARNING`	Set the state of the job(s) to `Maintenance Warning`
`SET TO MAINTENANCE MINOR`	Set the state of the job(s) to `Maintenance Minor`
`SET TO MAINTENANCE NO DATA`	Set the state of the job(s) to `Maintenance No Data`
`SET TO MAINTENANCE MAJOR`	Set the state of the job(s) to `Maintenance Major`
`RESET`	Reset the state of job(s) to their original state

If a CHECK command query finds more than 50 jobs, it will execute check now on the first 50 jobs and schedule the rest of the found jobs to have them checked in the background to avoid synchronization of too many jobs.

After running e.g. CHECK job WHERE subtype="icmp", the command line is automatically changed to GET job WHERE subtype="icmp".

All of the above commands work recursively, which means all objects below the currently selected object that match the criteria are acted upon.

EQL operators

`=`	equals
`!=`	does not equal
`>=`	greater than or equal
`>`	greater than
`<=`	less than or equal
`<`	less than

Additional operators for strings

`~=`	matches
`^=`	starts with
`~~`	contains
`$=`	ends with
`!~`	does not match
`!^`	does not start with
`!!`	does not contain
`!$`	does not end with

Additional operators for properties

is defined

is not defined

Additional operators for jobs and schedulers

`is stopped`	is stopped
`is not stopped`	is started

EQL examples

Command	Function
`GET *`	all objects (default)
`GET job`	all jobs
`GET device`	all devices
`GET * where id = 10`	all objects with `id` `10`
`GET * WHERE name = "foo"`	all objects with `name` `"foo"`
`GET job WHERE name ^= "client-"`	all jobs whose `name` starts with `"client"`
`GET job WHERE name $= "-snmp"`	all jobs whose `name` ends with `"-snmp"`
`GET job WHERE state != ok`	all jobs with state not OK
`GET slo WHERE name ~~ "DNS"`	all SLOs where `name` contains `"DNS"`
`GET job WHERE subtype = "icmp"`	all ICMP jobs
`GET job WHERE execution is not stopped`	all currently started jobs
`GET job WHERE name ~~ "Mail" AND subtype = "Imap"`	all IMAP jobs whose `name` contains `"Mail"`
`GET device WHERE address = "10.1.0.155"`	all devices with `address` `"10.1.0.155"`
`GET device WHERE address ^= "10.1.1"`	all devices where `address` field starts with `"10.1.1"`
`GET device WHERE state = no data`	all devices in state `No Data`
`GET device WHERE name ~= "\\d{2}$"`	all devices where `name` matches the regular expression
`GET slo WHERE state = minor OR state = major`	all SLOs in states Minor or Major
`GET device WHERE property("owner") = "Joe"`	all devices whose property `owner` matches `"Joe"`
`GET job WHERE property("service_kpi") IS DEFINED`	all jobs that have the property `service_kpi` set
`GET device WHERE property("Green, Blue or Red") = "Red"`	all devices
`GET scheduler WHERE execution is stopped`	all stopped schedulers
`START job WHERE subtype = icmp`	start all ICMP jobs
`STOP job WHERE name ^= "server"`	stop all jobs whose name begins with `"server"`
`SET TO OK job WHERE subtype = "execute"`	set all execute jobs to state `OK`
`SET TO MAINTENANCE MAJOR job where subtype="parsefile"`	set all parsefile jobs to state `Maintenance Major`

Using EQL one can easily link a set of objects below a group or an SLO.

Example: Link all routers and switches to the SLO /root/Customer/Services/SLOs/Network service

Choose Edit dependency from the dropdown list of the SLO Network service
Navigate to /root/Customer/Devices in the window on the right side
Click the EQL button in the lower right corner of the window on the right side
Enter the search query: GET device WHERE subtype = "router" OR subtype = "switch"
Select all devices by clicking the topmost checkbox
Click one of the arrows to the left. All devices should now be visible in the left window
Confirm by clicking the OK button

Quick search with EQL operators

The following EQL operators are also available for search in the SKOOR Engine quick search text box in the header of SKOOR Engine’s configuration view:

`=`	equals
`!=`	does not equal
`~=`	matches
`^=`	starts with
`~~`	contains
`$=`	ends with
`!~`	does not match
`!^`	does not start with
`!!`	does not contain
`!$`	does not end with

Examples:

Search string	Searches all
`id=15`	objects where the `id` is `15`
`addr=192.168.1.2`	devices with a specific address
`=dns01`	objects with `name` = `"dns01"`
`^=dns`	objects with `name` beginning with `"dns"`
`$=01`	objects with `name` ending in `"01"`
`!$01`	objects with `name` not ending in `"01"`
`!!dns`	objects with `name` not containing `"dns"`
`~=DNS.*ch`	objects with `name` containing `"DNS"` `"ch"`
`~=^DNS.*ch$`	objects with `name` starting with `"DNS"` and ending in `"ch"`
`~=dns\d\d$`	objects with `name` containing `"dns"` followed by 2 digits