Search query syntax
Rumble supports a deep searching across the Asset, Service, and Wireless Inventory, across organizations and sites, and through the Query Library. The Rumble Export API uses the same inventory search syntax to filter results.
Boolean operators
Search queries can be combined through AND and OR operators and be grouped using parenthesis.
AND
For example, a Asset Inventory query of os:"Windows 10" AND protocols:http AND protocols:smb2 will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.
OR
By contrast, the example query of os:"Windows 10" AND protocols:http OR protocols:smb2 will search for Windows 10 running a web server or any assets with the SMB service exposed. In addition to AND and OR, the NOT operator can be used to filter a query. For example, the query os:"Windows 10" AND NOT protocols:http will show Windows 10 systems without a web server. If the negation should happen as the first term the AND should be dropped. The query NOT protocol:http AND os:"Windows 10" is equivalent to the previous search, with the terms reversed.
Wildcard and fuzzy searches
Most keywords are a fuzzy match by default. To force an exact match, prefix match, or suffix match, the = prefix can be applied to the search term, with the % character used as a wildcard. To search an operating system name of just Windows, the Asset Inventory query would be os:="Windows", while to specify a prefix match of Ubuntu Linux, the query os:="Ubuntu Linux%" can be used.
Time and date values
Time and date (timestamp) fields can be searched using < (less than) and > (greater than) operators to compare against the current time. Supported units:
- hours
- minutes
- seconds
- months
- years
A special value of now can also be used.
For example, an asset search of first_seen:<1year would search for assets first detected this year. Other examples:
first_seen:<3days
first_seen:>2019-08-01
first_seen:>8/1/2019
last_seen:<1week
last_seen:<2months
last_seen:<1year
created_at:>2weeks
created_at:<30minutes
updated_at:>1year
updated_at:<12hours
os_eol:<now
os_eol:>4weeks
os_eol_extended:>now
os_eol_extended:>90days
Empty values
To search for an empty value, the = prefix can be used with no value after. For example, the query os:= will find assets with no identified operating system.
Note that this only works for single-valued attributes such as os and type; it won’t work for multi-value attributes such as names or addresses.
Asset and service inventory searches
Asset and Service attributes support two special search types in addition to the documented keywords:
- Asset Inventory searches treat unknown keywords as filters against individual Asset attributes.
- Service Inventory searches treat unknown keywords as filters against individual Service data values.
In situations where an Asset keyword conflicts with a Service data key, or an Asset attribute conflicts with a Service keyword, the prefixes \_asset. and \_service. can be used to disambiguate.
Searches are handled slightly differently. Service queries can filter against Asset attributes (os:linux) and Service attributes (banner:Password), but the Asset queries are limited to summary information about services (protocol:ssh).