Searching & Filtering

Overview

Guardrails' powerful discovery mechanism crawls your infrastructure and builds a structured, hierarchical representation of your assets in the Guardrails CMDB.

Guardrails' ability to Discover Everything is powerful, but its only truly valuable if you can find what you're looking for.

Guardrails provides a powerful advanced query syntax to search and query the CMDB. This filter syntax can be used to search and filter results in the Guardrails Console UI, as well as in GraphQL queries, providing a single, consistent interface for querying the CMDB.

Basic searching and filtering

Guardrails' basic search capability is intuitive - simply enter text and Guardrails will perform a case-insensitive search against all the properties of all objects.

If multiple search terms are specified, Guardrails will search for items that contain both terms.

A search for bucket demo will return all resources that contain both bucket AND demo

The Guardrails filter syntax can be used to search across all items in the CMDB using the Search resource... field in the Guardrails Console.

This same syntax may be used in filter lists in the console. These filters are implicitly scoped to the list type - A filter list on the Resources page only contains resources, the Controls list only contains controls, etc.

Additionally, users can drill into resource explore pages and search from there, restricting the results to only child resources of the currently selected resource. Here we show an example of searching bucket at the AWS account level. This returns only buckets within the account.

The GraphQL API uses the exact same filter syntax for list queries (resources, controls, notifications, etc).

Refer to the Guardrails Filter Reference Page for a complete overview of Guardrails filters.

A filter can be negated with the - or ! character

To find resources that do not contain demo you can search for !demo or -demo

The search keyword may be used to explicitly specify a full text search. In addition to the full text filtering behavior described previously, search allows you to specify "OR" conditions using a comma separated list of terms.

To find resources that contain either bucket OR demo, use the search keyword: search:bucket,demo

Regular Expressions are also supported, and should be delimited with forward slashes. Note that regular expressions will search the title only.

To find resources whose title begins with demo use a regular expression: /^demo/

More full text examples

AimFilter text
Require foofoo
Exclude foo-foo
Exclude foo!foo
Require "foo" and "bar"foo bar
Require "foo bar""foo bar"
Exclude "foo bar"!"foo bar"
Require foo or barsearch:foo,bar
title starts with "foo"/^foo/
title contains "foo", case insensitive/foo/i
title does not contain "foo", case insensitive!/foo/i

Filtering on specific properties

Guardrails allows searching and filtering on specific properties of an object.

The general format of a condition is: {property}:{operator}{value}:

A condition can be negated by preceding the operator with ! or -. Multiple {values} can be joined with a comma to specify an "OR" condition. Multiple whitespace separated conditions are joined as "AND" conditions.

Scoping with Levels

Many Guardrails lists display resources from multiple levels of the resource hierarchy. For example, it is possible to show all Control alarms for an Account, or to show all the alarms for itself and it’s descendants. You can use alevels filter to specify the scope of your search/filter.

AimFilter text
Self onlylevel:self
Descendants onlylevel:descendant
Immediate children onlylevel:children
Ancestors onlylevel:ancestor
Self or Descendantslevel:self,descendant
Self or Descendants (alternate)level:all

More Examples

Resource filters
AimFilter text
AWS account 876515858155resource:arn:aws:::876515858155 level:self
Resources in AWS account 876515858155resource:arn:aws:::876515858155 level:descendant
Resources with a "department" tag of "sales"tags:department=/^sales$/i
Resources created in the last weekcreateTimestamp:>T-7d
Resources created or updated in the last 15 minutestimestamp:>T-15m
EC2 Instances with private IP in the 172.31.6.0/24 rangeresourceType:instance $.PrivateIpAddress:<172.31.6.0/24
Volumes larger than 1000MBresourceType:volume $.Size:>=1000
Unattached VolumesresourceType:volume $.Attachments.*.State:!attached
All compute and storage resources of any typeresourceCategory:compute,storage

Policy Settings

AimFilter text
Settings that are orphaned by a higher level required settingis:orphan
Settings that are orphaned by a higher level required settingis:exception
Settings expiring in the next week, by expiration date descendingvalidToTimestamp:<T+7d,>now sort:validToTimestamp
Settings created/updated in the last day, newest firsttimestamp:>T-1d sort:-timestamp

Policy Values

AimFilter text
Policy values set to 'Check: Enabled'value:'Check: Enabled'
Policy Values for resources with a department tag set to 'sales'tags:department=/^sales$/i
Policy Values that are not in an OK statestate:-ok
Policy values for CIS policy typespolicyType:cis

Controls

AimFilter text
Controls in alarm or errorstate:alarm,error
Approved controls for any bucket (AWS, GCP)resourceType:bucket controlType:approved
All alarms in the last hoursstate:alarm timestamp:>T-1h
All storage related tag controlsresourceCategory:storage controlCategory:tags
All CIS controlscontrolCategory:cis

Notifications

AimFilter text
Notifications for resources, newest firstnotificationType:resource sort:-timestamp
The last 100 deletion notifications of any typenotificationType:resourceDeleted,policySettingDeleted,policyValueDeleted,controlDeleted,actionDeleted,scheduledActionDeleted,grantDeleted,activeGrantsDeleted,favoriteDeleted,watchDeleted sort:-timestamp limit:100
Recent permissions activitynotificationType:activeGrant,grant sort:-timestamp
Notifications for a specific actor (user) with it's profileIdactorIdentityId:162674901433086

Further Reading

See the Filter Reference Documentation for more detailed information and examples, including filters for: