Dashboard Toolbox - Improving Dashboard Performance through Query Formatting and Filters

Document created by DMFezzaReed Employee on Jul 13, 2018Last modified by DMFezzaReed Employee on Sep 25, 2019
Version 17Show Document
  • View in full screen mode

Welcome to Dashboard Toolbox - Improving Dashboard Performance through Query Formatting and Filters.

 

Here we will begin to collaboratively and constructively collect a list of query format choices that will help to improve the performance of your dashboard(s).  As new recommendations arise, they will be added to this page and to the scope of the technical publications when the dashboards move to GA.

dashboard_toolbox  dashboard_howto  vmdb_beta

 

 

Maximum Character Limits (including alphanumeric, special characters and spaces) 

  • Query Tokens: 256 characters
  • Query String: 4096 characters

 

New VM Dashboard BETA Annotations, Suggestions and Recommendations

 

1.  New  Sep 25, 2019 DON'T MIX YOUR QUERY TOKENS:  When you are working on a dashboard that contains more than one data source query box as indicated by the plus sign on the right of the query search box, make absolutely certain you only include the tokens applicable to the data source indicated on the left of the query search box.  

  • In the image below, the data sources is the vulnerability index, you will only want to enter vulnerability detection tokens here.  The interface will only provide autocomplete options for tokens that are valid for the query search box you are in. In other words, do not enter asset tokens in this box, and vice-versa.  If you copy/paste an asset token into the Vulnerability query search or a vulnerability detection token in the Asset query search, you may receive invalid results.

 

2.  Updated Sep 25, 2019 When working in the new dashboard, one needs to stipulate which vulnerabilities.status:[NEW, ACTIVE, REOPENED, FIXED] you want to see.

  • Enhancements were implemented adding global exclude filters.  So you need to be careful. 
    • When you apply the status token, you need to UNCHECK the FIXED filter...

    • When you apply the global exclude filter EXCLUDE FIXED, to only display open (NEW, ACTIVE, and REOPENED) detections, you should OMIT the status token in the widget or query.
    • If you attempt to use the token and the filter together, bad Ju-Ju happens, it's better to pick your poison!

 

3.  When working in the new dashboard, nesting within a query is only required for ASSET, not for VULNERABILITY.

4.  It's important to frequently review this page through-out the beta for the best way to format your queries: Dashboard Toolbox - Improving Dashboard Performance through Query Formatting

Query Operators

 

Brackets and Parenthesis

Greater Than

Greater Than or Equal

Less Than

Less Than or Equal

token:[5 .. 10] returns 5,6,7,8,9,10
token:(5 .. 10) returns 6,7,8,9


and, you can mix and match:


token:[5 .. 10) returns 5,6,7,8,9

token:(5 .. 10] returns,6,7,8,9, 10

token > 5 returns 6+

token >= 5 returns 5+

token < 5 returns 0 thru 4

token <= 5 returns 0 thru 5

(NO) QUOTATION MARKS New

Grave Accent (`) for Exact Match New

 

 

Finding Related Items - No Quotations Marks:

token:xxxxxxxx

 

Contains - Double Quotes:

token:"xxxxxxxx"

What's a Grave Quote?

 

token:`xxxxxx`

 

 

Recommended Query Formatting for Performance

 

RecommendationInstead of this...Try this...
Try to reduce the use of range query, where possiblevulnerabilities.vulnerability.severity:[3..5]vulnerabilities.vulnerability.severity:[3,4,5]
Try to reduce, or eliminate, the use of the NOT within the query

not vulnerability.typeDetected:Information

vulnerability.typeDetected:[Confirmed,Potential]

See Also: Dashboard Toolbox - VM DASHBOARD BETA - Discrepancy: Vulnerability Query Formatting and Use of the NOT clause 

Query for Operating System using the Asset token vs. the Vulnerability Token

vulnerabilities.hostOS:

operatingSystem:

New Jul 24,2018

Query for a Date Range 

To query "from this point in time to now" the GT (>) sign should be used vs. ...

  • Greater Than (>) is from a point in time forward (until now)

To select detections within that last 90 days:

lastVMScanDate:[now-90d .. now]

To select detections within that last 90 days:

lastVMScanDate > now-90d 

 

If you want to include day 90: lastVMScanDate >= now-90d 

New Jul 24,2018

Query for a Date Range

To query "prior to this point in time" the LT (<) sign should be used vs. ...

  • Less Than (<) is from a point in time backwards

To select detections older than 90 days:

lastVMScanDate:[2012-01-01 .. now-90d]

To select detections older than 90 days:

lastVMScanDate < now-90d

New Jul 24,2018

NEW VM DASHBOARD BETA

VULNERABILITY query nesting within the New Vulnerability Management Dashboard BETA is no longer required.

[However, nesting is still required for the ASSET query within the New Vulnerability Management Dashboard BETA]

vulnerabilities: (vulnerability.severity:[3,4,5] and typeDetected:[Confirmed]) and vulnerabilities.vulnerability.vendors.vendorName:Cisco

vulnerabilities.vulnerability.severity:[3,4,5] and vulnerabilities.typeDetected:[Confirmed] and vulnerabilities.vulnerability.vendors.vendorName:Cisco

 

 

Please feel free to comment, ask questions, and make suggestions for content below.  DMFezzaReed will review and acknowledge both a minimum of once each week.

 

 

 

 

Back to Dashboard Toolbox - New Vulnerability Management (VM) Dashboard BETA 

Back to Dashboards and Reporting Resources - Start Here 

3 people found this helpful

Attachments

    Outcomes