Search query syntax
Rumble supports a deep searching across the Asset, Service, and Wireless Inventory, across Organizations and Sites, and through the Query Library. The Rumble Export API uses the same Inventory search syntax to filter results.
Boolean operators
Search queries can be combined through AND and OR operators and be grouped using parenthesis.
AND
For example, a Asset Inventory query of os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.
OR
By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed. In addition to AND and OR, the NOT operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the AND should be dropped. The query NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.
Wildcard and fuzzy searches
Most keywords are a fuzzy match by default. To force an exact match, prefix match, or suffix match, the \= prefix can be applied to the search term, with the % character used as a wildcard. To search an operating system name of just Windows, the Asset Inventory query would be os:="Windows", while to specify a prefix match of Ubuntu Linux, the query os:="Ubuntu Linux%" can be used. To search for an empty value, as no identified operation system, the \= prefix can be used with no value: os:=.
Asset and service inventory searches
Asset and Service attributes support two special search types in addition to the documented keywords:
- Asset Inventory searches treat unknown keywords as filters against individual Asset attributes.
- Service Inventory searches treat unknown keywords as filters against individual Service data values.
In situations where an Asset keyword conflicts with a Service data key, or an Asset attribute conflicts with a Service keyword, the prefixes \_asset. and \_service. can be used to disambiguate.
Searches are handled slightly differently. Service queries can filter against Asset attributes (os:linux) and Service attributes (banner:Password), but the Asset queries are limited to summary information about services (protocol:ssh).