Skip to main content

SRQL Cookbook

Task-oriented, copy-paste SRQL recipes. Each recipe has a goal, a query you can run as-is, and a one-line note. Adjust hostnames, IPs, and time windows to match your environment.

New to the language? Read the SRQL Tutorial first. For the full list of entities, fields, and operators, see the SRQL Reference.

Finding and inspecting devices

List recently seen devices

in:devices sort:last_seen:desc limit:25

The 25 devices that checked in most recently.

Find a device by hostname

in:devices hostname:%edge%

Wildcard match — every device whose hostname contains edge.

Find a device by IP, CIDR, or range

in:devices ip:10.20.0.0/16

ip: accepts a single address, a CIDR block, or a range like 10.20.0.10-10.20.0.50.

List devices from one vendor

in:devices vendor_name:Cisco sort:hostname:asc

Use quotes for multi-word vendors: vendor_name:"Axis Communications".

Find unreachable devices

in:devices is_available:false sort:last_seen:desc

Devices currently marked unavailable, newest first.

Devices discovered by a specific source

in:devices discovery_sources:(armis)

discovery_sources is an array field; the list form matches containment.

Devices imported by an Armis integration query

in:devices metadata.integration_type:armis metadata.query_label:managed

metadata.<key> filters arbitrary metadata; quote values with spaces.

Count devices by type

in:devices stats:count() as total by type

A breakdown of inventory by device type.

Count devices by vendor

in:devices stats:count() as total by vendor_name sort:total:desc

The most common vendors in your fleet.

Inspecting events and logs

Recent events, newest first

in:events time:last_24h sort:time:desc limit:50

A live feed of the latest events.

High-severity events only

in:events time:last_24h severity_id:>3 sort:time:desc

Filters out low-severity noise.

Events for a specific device

in:events device_id:<device-uid> time:last_7d sort:time:desc

Everything that happened on one device this week.

Search event messages

in:events message:%authentication% time:last_24h

Free-text search inside event messages with a wildcard.

Error logs from one service

in:logs service_name:serviceradar-core severity_text:error time:last_1h

Recent error-level lines from a single service.

Logs across several severities

in:logs severity_text:(error,warn) time:last_6h sort:timestamp:desc

The list form matches any of the listed severities.

Search log bodies

in:logs body:%timeout% time:last_24h

Find log lines mentioning timeout.

Correlate logs by trace ID

in:logs trace_id:<trace-id> sort:timestamp:asc

All log lines for one distributed trace, in order.

Count log volume by severity

in:logs time:last_24h stats:count() as total by severity_text

How much of each severity you are producing.

NetFlow traffic queries

Top talkers by bytes

in:flows time:last_1h stats:sum(bytes_total) as bytes by src_ip sort:bytes:desc limit:10

The 10 source IPs that sent the most traffic.

Traffic to a specific destination

in:flows dst_ip:8.8.8.8 time:last_24h sort:bytes_total:desc

All flows headed to one destination address.

Large flows above a threshold

in:flows bytes_total:>10000000 time:last_1h sort:bytes_total:desc

Flows that moved more than 10 MB.

Traffic on a specific port

in:flows dst_port:(443,8443) time:last_1h

HTTPS-style traffic; the list form matches either port.

Traffic from a subnet

in:flows src_cidr:10.0.0.0/8 time:last_1h sort:bytes_total:desc

src_cidr / dst_cidr match flows inside a CIDR block.

Traffic broken down by application

in:flows time:last_1h stats:sum(bytes_total) as bytes by app sort:bytes:desc

app is the derived application classification label.

Flow volume over time (chart)

in:flows time:last_6h bucket:5m agg:sum value_field:bytes_total

Five-minute buckets suitable for a time-series chart.

BGP routing queries

BGP routing data is queried with in:bmp_events — peer events and prefix advertisements collected via the BGP Monitoring Protocol.

Recent BGP routing events

in:bmp_events time:last_24h sort:time:desc limit:50

The latest BMP events across all routers.

Events from one router

in:bmp_events router_ip:10.42.68.85 time:last_24h sort:time:desc

All routing activity reported by a single router.

Events for a specific BGP peer

in:bmp_events peer_ip:10.42.68.1 time:last_7d

Track one peering session.

Events for a peer ASN

in:bmp_events peer_asn:64512 time:last_24h

peer_asn and local_asn are numeric fields.

Track a specific prefix

in:bmp_events prefix:%203.0.113.0% time:last_7d sort:time:desc

Advertisements and withdrawals touching a prefix.

Building queries for alert rules

Alert rules run an SRQL query on a schedule and fire when results cross a threshold. Keep rule queries tightly scoped: an explicit entity, a time: window, and a condition.

Devices that went offline

in:devices is_available:false time:last_15m

Any result rows mean devices are down.

Sustained high CPU

in:cpu_metrics time:last_15m usage_percent:>90 sort:usage_percent:desc

Hosts running hot in the recent window.

Disks nearly full

in:disk_metrics time:last_30m usage_percent:>85 sort:usage_percent:desc

Mount points approaching capacity.

High memory pressure

in:memory_metrics time:last_15m usage_percent:>90

Hosts with little free memory.

Spike in error logs

in:logs severity_text:error time:last_5m stats:count() as errors

Compare the errors count against your alert threshold.

Burst of high-severity events

in:events severity_id:>3 time:last_5m stats:count() as critical_events

Alert when critical_events exceeds a baseline.

Service availability check

in:services available:false time:last_10m

Services reporting as unavailable.

Common troubleshooting queries

Is a device reporting at all?

in:devices hostname:%<name>% sort:last_seen:desc

Check last_seen to see when the device last checked in.

What changed on a device recently?

in:events device_id:<device-uid> time:last_1h sort:time:desc

Recent activity on a suspect device.

Find slow service spans

in:otel_metrics is_slow:true time:last_1h sort:timestamp:desc

Span-derived metrics flagged as slow.

Inspect a failing trace

in:traces status_code:2 time:last_1h sort:timestamp:desc

Trace spans with an error status code.

Check interface status on a device

in:interfaces device_ip:10.0.0.5 latest:true

latest:true returns the most recent record per interface.

Find down interfaces

in:interfaces oper_status:down latest:true

Interfaces currently in a down operational state.

Verify gateway health

in:gateways is_healthy:false

Gateways that are not reporting healthy.

Recent SNMP metric values for a device

in:snmp_metrics device_id:<device-uid> time:last_1h sort:timestamp:desc

Confirm SNMP polling is producing data.

Check unresolved alerts

in:alerts status:open sort:triggered_at:desc

Open alerts, most recently triggered first.

See also