Syntax

LeakIX syntax is called YQL and is based on the opensource YQL-Elastic library.

Features

  • Supports grouping
  • Supports field

Lexical declarations

  • A term can be a single word
  • A term can be a phrase between quote (")
  • A term can be a field, prefixed by : with or without a (single word or phrase) as value
  • Any term or group of term following + is a REQUIRE condition
  • Any term or group of term following - is a EXCLUDE condition
  • Any term or group of term without preceding operator is a OPTIONAL condition, unless there's only one term
  • A group is query inside delimiting ()
  • Groups can have sub-groups
  • Any field having a > after its : is a greater range condition
  • Any field having a < after its : is a lower range condition
  • Any field having a = after its : is a precise match condition
When multiple terms are provided without the + operator, the default behavior is to make it OPTIONAL.

Examples

Search for single term

The following example would search the index for the term TornadoServer. The term is required since it's alone.

1TornadoServer

Search for a phrase

The following example would search the index for the phrase Location: /home/. The term is required since it's alone.

1"Location: /home/"
Notice how phrase with spaces are enclosed between double quotes (") to make it a single term.

Search for multiple required terms

The following example would search the index for the phrase Location: /home/ AND the term Apache. Both terms are required since they're prefixed with +.

1+"Location: /home/" +Apache

Using fields

The following example would search the index for the field jarm matching 29d29d15d29d29d00042d42d0000009435214b849738c4ebab4534b5d158dd.

1jarm:"29d29d15d29d29d00042d42d0000009435214b849738c4ebab4534b5d158dd"
Notice how fields can also be phrases by using double quotes ".

Using ranges

The following example would search the index for the field ssl.certificate.not_before greater than 2023-03-10.

1ssl.certificate.not_before:>2023-03-10

Combining optional and required terms

The following example would search the index for the phrase Location: /home/ AND either the term Apache OR nginx AND for the field jarm matching 15d3fd16d29d29d00042d43d0000009ec686233a4398bea334ba5e62e34a01 AND for the field ssl.certificate.not_before greater than 2023-03-10.

1+"Location: /home/" +(Apache nginx) +jarm:"15d3fd16d29d29d00042d43d0000009ec686233a4398bea334ba5e62e34a01" +ssl.certificate.not_before:>2023-02-10
Notice how the group between () is required by prefixing it with +.
Notice how the terms inside () are optional since they have no prefix.