BigPanda Query Language (BPQL) (ADR)

BigPanda Query Language (BPQL) is used for complex incident investigation and correlation pattern building in BigPanda. BPQL is necessary when searching or filtering using specific criteria. BPQL allows you to search for specific values in custom or standard tags, as opposed to general keyword searches which are much broader. Use BPQL to construct advanced search query strings and conditions to help you quickly diagnose problems and manage your infrastructure effectively.

Syntax Rules

BPQL uses the following syntax rules:

Start (^) and End ($) Pattern Support

Screen	Is the start (^) and end ($) for the pattern assumed?	Is the start (^) and end ($) for the pattern supported?
Environments - Incident Search	Yes	No
Environment Configuration	Yes	Yes
Environment Configuration - Preview	Yes	No
Alert Enrichment - Extraction Enrichment	No	Yes
Alert Enrichment - Preview	Yes	No
Alert Filtering	No	Yes
Alert Filtering - Preview	Yes	No
Alert Correlation	No	Yes
Alert Correlation - Preview	No	Yes
Incident Enrichment	No	Yes
Planned Maintenance	No	Yes

Search for Tags with Empty Values

A specific regex search syntax needs to be used when searching for tags with empty values:

host != /[a-zA-Z0-9]+/

Operators

Operator	Description	Example
`=` `:`	Equals	`host=srv-ny-1` `host:srv-ny-1`
`!=`	Not equal	`host!=srv-ny-1`
`===`	Strict match; true for all alerts in an incident	`host===srv-1`
`IN` `in`	Equal to one of the values in a list	`host IN [srv-1, srv-2]` `host in [srv-1, srv-2]`
`NOT IN` `not in`	Not equal to any of the values in a list Note: When using this operator, BigPanda requires a check for the same tag to work correctly. Without it, the query will default to "true."	`host=* AND host NOT IN [srv-1, srv-2]` `host=* AND host not in [srv-1, srv-2]`
`OR` `or`	At least one of the conditions is true	`host=srv-1 OR host=srv-2` `host=srv-1 or host=srv-2`
`AND` `and`	All of the conditions are true	`host=srv-1 AND check=chk-1` `host=srv-1 and check=chk-1`

Strict Match vs. Equals

Strict match criteria must be met by all alerts within an incident, while an equals (=) search finds incidents that have at least one matching alert, even if other alerts do not match the criteria.

Incident-level functionality

Strict match applies only to incidents, not alerts. Product elements that apply to alerts (such as Alert Enrichment or Alert Filtering) do not support strict matching within BPQL conditions.

For example:

If the strict match criteria is host==="prod-1"

Incidents where all alerts are from the prod-1 host are listed as results.

Any incidents where only some of the alerts match do not appear in the results.

The below table compares a strict match and an equals search results for this query:

Example Incidents	Strict Match (host==="prod-1")	Equals Match (host="prod-1")
Incident 1 contains: Alert 1 on host = prod-1 Alert 2 on host = prod-1 - Alert 3 on host = prod-1	Yes	Yes
Incident 2 contains: Alert 1 on host = prod-1 Alert 2 on host = prod-2 - Alert 3 on host = prod-1	No	Yes

Example Incidents

Strict Match (host==="prod-1")

Equals Match (host="prod-1")

Incident 1 contains:

Alert 1 on host = prod-1

Alert 2 on host = prod-1

- Alert 3 on host = prod-1

Yes

Incident 2 contains:

Alert 1 on host = prod-1

Alert 2 on host = prod-2

- Alert 3 on host = prod-1

Yes

Strict match considers all alerts in the incident regardless of status

Strict match considers both active and inactive alerts in an incident. If the active alerts in an incident meet the criteria and the inactive alerts don't, the incident does not match.

Strict match syntax

Strict match syntax will only work with alert tags. Strict match for incident tags is not supported.

Next Steps

Learn how to Search for Incidents in BigPanda.

Learn how to create Correlation Patterns using BPQL.

Find information about BigPanda Formula Language (BPFL)

In this section: