PDL Reference

This is a reference guide for the Padas Domain Language (PDL). In this manual you will find explanation of PDL syntax, descriptions, and examples.

In order to understand how PADAS works, please review Getting Started.


PDL Syntax

The following sections desribe the syntax used for Padas Domain Language (PDL) queries. PDL performs operations on a single event (padas_events topic, jsondata field) and simply compares to the query, then returns a boolean response to indicate a match or mismatch.

PDL syntax requires fields to be available in JSON object that it compares against.


Examples

Event jsondata value PDL Query Expected Result
        {
          "field1":{
            "subfield1":"subvalue1",
            "subfield2":"sub value2"
          },
          "field2":"value2",
          "field3":123
        }
        
field1.subfield2 ?= "value2" true
        {
          "field1":"value1",
          "field2":"value2 text2 value2",
          "field3":123,
          "field4":"value4",
          "field_5":5,
          "field-6":6,
          "field:7":7
        }
        
field1="va*e1" true
          {
            "field1":{
              "subfield1":"subvalue1",
              "subfield2":"sub value2"
            },
            "field2":"value2",
            "field3":123
          }
        
(field1.subfield2 = "value2" AND field3=123) false


Supported Operators

PDL supports the following operators and keywords when comparing events to the query.

Below table provides examples based on the following JSON value:

{
  "field1":"value1",
  "field2":"value2 text2 value2",
  "field3":123
}

Operator/Keyword Description Example (true)
NOT NOT, negates the result NOT (field1 = "valueXXX")
AND AND, expects both sides to be true field1="value1" AND field3=123
OR OR, expects at least one side to be true field1="xyz" OR field3=123
= Equals, returns true if the value is an exact match.
A single wildcard * is also accepted for string values.
field1="value1"
field1="val*"
!= Not Equals, returns true if the value does not match field3 != 456
?= Contains, checks whether the string value contains the query field2 ?= "text2"
> Greater than, returns true if query comparison value is greater than event field value field3 > 100
< Less than, returns true if query comparison value is less than event field value field3 < 200
>= Greater than or equals, returns true if query comparison value is greater than or equals to the event field value field3 >= 123
<= Less than or equals, returns true if query comparison value is less than or equals to the event field value field3 <= 123


Supported JSON Values

PDL comparisons work on String and Integer JSON values. String comparisons MUST be defined in quotes " within PDL query definition.


Examples:

PDL query with field1="123" will compare "123" as a String JSON value.

PDL query with field2=123 will compare 123 as an Integer JSON value.


Wildcard Support

PDL supports a single wildcard * with Equals operator (=) for String JSON values. Following are valid PDL query examples with wildcard usage:

field1="val*1"
field1="val*"
field1="*ue1"


Grouped arguments

Sometimes the syntax must display arguments as a group to show that the set of arguments are used together. Parenthesis ( ) are used to group arguments.

For example in this syntax: (field1="val1" OR field2=123) AND field3="value3"

The grouped argument is (field1="val1" OR field2=123) and its results are evaluated as a whole.