CEL Query Structure
CEL or Common Expression Language is used in various locations in the platform to allow for advanced query implementation in a typed language.
CEL itself was developed by Google originally and is used in many places, details of the project can be found in CEL Website or CEL Github
CEL Syntax
The following sections explain the syntax supported by CEL for generating queries. Queries are built from operators and field name values to allow you to filter objects for display or selection in the platform.
Cel Operators
The following table gives an overview of the operators that are supported by cell for being able to build queries
| Operator | Example CEL Query | Meaning |
|---|---|---|
== | e.hostname == "qa-server-1" | Match exact value of qa-server-1 |
!= | e.hostname != "prod-server" | Match everything that is not prod-server |
.startsWith | e.hostname.startsWith("qa-") | Match anything that begins with qa- |
.endsWith | e.hostname.endsWith(".corp.local") | Match anything that ends with .corp.local |
.contains | e.hostname.contains("test") | Match when value contains test |
Grouping or Combining CEL
To combine queries together CEL supports a structure using boolean logic between expressions, examples are included below
| Operator | Example CEL Query | Meaning |
|---|---|---|
| && | e.os.startsWith("Windows") && e.hostname.contains("qa") | Endpoint operating system starts with either Windows AND hostname includes qa |
| || | e.os.startsWith("Windows") || e.os.startsWith("Mac") | Endpoint operating system starts with either Windows OR Mac |
| IN | e.hostname in ["qa-1", "qa-2"] | Hostname matches any one object IN the list or supplied hostnames |
In the case of the IN match the match is an exact match so the query could be be described in a long-form manner as
e.hostname == "qa-1 || e.hostname == "qa-2"
Complex Queries
In the examples used above the NOT ! option this can be used to prefix an entire query, this requires more complex structure and the use of parenthesis to split queries into logical groups, e.g.
!((e.hostname in ["old-server", "deprecated"] && e.os.startsWith("Linux") || (e.os.startsWith("Windows") || e.os.startsWith("Mac"))
This is easier to visualise when formated
!
(
(e.hostname in ["old-server", "deprecated"] && e.os.startsWith("Linux")
||
(e.os.startsWith("Windows") || e.os.startsWith("Mac")
)
In this example the match would be anything that is either NOT matches one of the two queries included, these are includes in parenthesis to make them separate queries, the result would be anything named old-server or deprecated and the operating system name starts with Linux OR the operating system starts with Windows or Mac