3.2.10.3.1. Create Saved Query

This does the following:

• Create a saved query that includes the os.type field.

• Sorts the table in the GUI by the os.type field.

• Sorts the the os.type field in ascending order.

• Apply a column filter to only show data in the os.type column that matches Windows.

• Set the table paging size in the GUI to show 50 rows at a time.

$ axonshell devices saved-query add \
  --name 'last seen in 2 days' \
  --query '(specific_data.data.last_seen >= date("NOW - 2d"))' \
  --field os.type \
  --sort-field os.type \
  --sort-ascending \
  --column-filter os.type=Windows \
  --gui-page-size 50 \
  --export-file saved_query.json \
  --export-overwrite

3.2.10.3.1.1. Notes

Note

This example works the same for both the devices saved-query add and users saved-query add commands.

Note

Creating a saved query this way does not build the expressions that are used by the Query Wizard in the GUI, so you will not be able to use the Query Wizard to modify saved queries created by this command.

Note

The only required option is -n / –name, but all of the other options can control the creation of the saved query in multiple ways and you probably want to at least supply -q / –query.