---
title: "Search query syntax"
aliases: ["/docs/search-query-list/"]
---

runZero supports deep searching across the Asset, Service, and Wireless Inventory, across organizations and sites, and through the Query Library. The runZero Export API uses the same inventory ((search syntax)) to ((filter)) results.

## Query syntax

### Boolean operators

Search queries can be combined through `AND` and `OR` operators and be grouped using parenthesis.

#### AND

For example, a Asset Inventory query of `os:"Windows 10" AND protocols:http AND protocols:smb2` will show only those assets where Windows 10 was identified and both SMB and a web server were discovered. Search values that contain spaces must be placed in double quotes.

#### OR
By contrast, the example query of `os:"Windows 10" AND protocols:http OR protocols:smb2` will search for Windows 10 running a web server `or` any assets with the SMB service exposed. In addition to `AND` and `OR`, the `NOT` operator can be used to filter a query. For example, the query `os:"Windows 10" AND NOT protocols:http` will show Windows 10 systems without a web server. If the negation should happen as the first term the `AND` should be dropped. The query `NOT protocol:http AND os:"Windows 10"` is equivalent to the previous search, with the terms reversed.

### Wildcard and fuzzy searches

Most keywords are a fuzzy match by default. To force an exact match, prefix match, or suffix match, the `=` prefix can be applied to the search term, with the `%` character used as a wildcard. To search an operating system name of just `Windows`, the Asset Inventory query would be `os:="Windows"`, while to specify a prefix match of `Ubuntu Linux`, the query `os:="Ubuntu Linux%"` can be used. 

### Single-character wildcard

The `%` wildcard matches any number of characters. To match exactly one character, use the `_` single-character wildcard. For example, `os:="Window%"` will match both `Windows` and `Windows 10`, while `os:="Window_"` will match `Windows` but not `Windows 10`.

### Time and date values

Time and date (timestamp) fields can be searched using `<` (less than) and `>` (greater than) operators to compare against the current time. You can also use `-` to compare to a relative time in the past, for example `<-3years` would look for timestamps that occurred before three years ago. Supported units:

 - hours
 - minutes
 - seconds
 - months
 - years

A special value of `now` can also be used.

For example, an asset search of `first_seen:<1year` would search for assets first detected this year. Other examples:

```plaintext
first_seen:<3days
```
```plaintext
first_seen:>2019-08-01
```
```plaintext
first_seen:>8/1/2019
```
```plaintext
last_seen:<1week
```
```plaintext
last_seen:<2months
```
```plaintext
last_seen:<1year
```
```plaintext
created_at:>2weeks
```
```plaintext
created_at:<30minutes
```
```plaintext
updated_at:>1year
```
```plaintext
updated_at:<12hours
```
```plaintext
os_eol:<now
```
```plaintext
os_eol:>4weeks
```
```plaintext
os_eol:<-2years
```
```plaintext
os_eol_extended:>now
```
```plaintext
os_eol_extended:>90days
```

### Empty values

To search for an empty value, the `=` prefix can be used with no value after. For example, the query `os:=` will find assets with no identified operating system.

Note that this only works for single-valued attributes such as `os` and `type`; it won't work for multi-value attributes such as `names` or `addresses`.

### Asset and service inventory searches

Asset and Service attributes support two special search types in addition to the documented keywords:

*   Asset Inventory searches treat unknown keywords as filters against individual Asset **attributes**.
*   Service Inventory searches treat unknown keywords as filters against individual Service **data** values.

In situations where an Asset keyword conflicts with a Service data key, or an Asset attribute conflicts with a Service keyword, the prefixes `_asset.` and `_service.` can be used to disambiguate.

Searches are handled slightly differently. Service queries can filter against Asset attributes (`os:linux`) and Service attributes (`banner:Password`), but the Asset queries are limited to summary information about services (`protocol:ssh`).