Preview
Loads Smartscape nodes using a type pattern (use * for all types).
smartscapeNodes type [, from] [, to] [, timeframe], ...
Parameter
Type
Description
Required
type
string, identifier, string pattern
The node type. You can filter types of nodes using patterns:
* will match any node type."").""). Patterns support prefix (...*) , postfix (*...) and contains notation (*...*).required
timeframe
timeframe, string
The desired timeframe (if not specified, global timeframe is used).
optional
from
timestamp, long, duration, string
The start of the timeframe (if no explicit timeframe is specified). A duration is interpreted as an offset from now().
optional
to
timestamp, long, duration, string
The end of the timeframe (if no explicit timeframe is specified). A duration is interpreted as an offset from now().
optional
Get a list of all unique smartscapeNodes.
smartscapeNodes "*"| fields type| dedup type
Get a list of the first 10 HOST nodes.
smartscapeNodes HOST| fields id, type| limit 10
Get a list of the first 10 HOST and PROCESS nodes.
smartscapeNodes { HOST, PROCESS }| fields id, type| limit 10
Get a list of the first 10 nodes fitting the pattern *EC2*.
smartscapeNodes "*EC2*"| fields id, type| limit 10
Loads Smartscape edges using an edge type pattern (use * for all types).
smartscapeEdges type [, from] [, to] [, timeframe ,] ...
Parameter
Type
Description
Required
timeframe
timeframe, string
The desired timeframe (if not specified, global timeframe is used).
optional
from
timestamp, long, duration, string
The start of the timeframe (if no explicit timeframe is specified). A duration is interpreted as an offset from now().
optional
to
timestamp, long, duration, string
The end of the timeframe (if no explicit timeframe is specified). A duration is interpreted as an offset from now().
optional
type
string, identifier, string pattern
The edge type that represents the relationship between two nodes. You can filter the edge type using patterns:
* will match any edge type."").""). Patterns support prefix (...*) , postfix (*...) and contains notation (*...*).required
Get a list of all runs_on edges.
smartscapeEdges runs_on
Get a list of all edges starting at Kubernetes Pods.
smartscapeEdges "*"| filter source_type == K8S_POD| summarize by:{type, target_type}, edges = count()
Get a list of all entity types that have a belongs_to edge leading to a Kubernetes Namespace.
smartscapeEdges belongs_to| filter target_type == K8S_NAMESPACE| dedup source_type| fields source_type
Get a list of all Kubernetes Deployment IDs that belong to a Kubernetes Namespace with a specific owner tag.
smartscapeEdges belongs_to| filter source_type == K8S_DEPLOYMENT and target_type == K8S_NAMESPACE| fieldsAdd namespace_tags = getNodeField(target_id, "tags")| filter namespace_tags[owner] == "john.doe@example.com"| fields source_id
Get a list of all entity types that have *to edges (for example, is_attached_to and belongs_to) leading to a Kubernetes Namespace.
smartscapeEdges "*to"| filter target_type == K8S_NAMESPACE| dedup source_type| fields source_type
Traverses source nodes to target nodes in the specified direction, following edge types defined by edgeTypes.
The traverse command follows the smartscapeNodes command. As an input for the source node, it takes records containing nodeId.
The command returns the target node with an additional field - dt.traverse.history, which is an array of records containing information about the source node. Every traverse operation adds a single record to dt.traverse.history. By default, the record contains the following fields: id, edge_type, and direction. More fields can be added to the record using the command's fieldsKeep parameter.
traverse edgeType, …, targetType, … [, direction] [, fieldsKeep: field, …] [, nodeId]
Parameter
Type
Description
Required
edgeType
string, identifier, string pattern
The type of the edge to be traversed (one or more). You can filter types of nodes using patterns:
* will match any edge."").""). Patterns support prefix (...*) , postfix (*...) and contains notation (*...*).required
targetType
string, identifier, string pattern
The type of the target node (one or more). You can filter types of nodes using patterns:
* will match any node type."").""). Patterns support prefix (...*) , postfix (*...) and contains notation (*...*).required
direction
enumeration
The traversal direction. The possible values are: forward, backward. The default value is: forward.
optional
field
string, field identifier, string pattern
A list of fields from the source node that should be preserved in dt.traverse.history column.
required
nodeId
field identifier
The field that contains the id of the source node that should be traversed. The default value is: id.
optional
Get a list of all host names for all processes.
smartscapeNodes PROCESS| traverse runs_on, HOST, direction: forward, fieldsKeep: name
Get a list of all HOST and K8S_* names and tags for all nodes.
smartscapeNodes "*"| traverse edgeTypes: {runs_on, "dt.*"},targetTypes: {HOST, "K8S_*"},direction: forward,fieldsKeep: {name, "tags:*"}
Get a list of all Kubernetes Services that belong to Kubernetes Namespaces with a specific annotation.
smartscapeNodes K8S_NAMESPACE| filter tags[`example.com/annotation`] == "my-annotation"| traverse belongs_to, K8S_SERVICE, direction: backward
Get a list of process names and host names for all processes with a specific exe name by using the fieldsKeep parameter and accessing the dt.traverse.history field.
smartscapeNodes PROCESS| filter process.metadata[EXE_NAME] == "envoy"| traverse runs_on, HOST, fieldsKeep:name| fields process_name = dt.traverse.history[0][name], host_name = name
Find all EC2 volumes owned by a certain team that are attached to EC2 Instances.
smartscapeNodes AWS_EC2_INSTANCE| filter tags[dt_owner_team] == "team-piranhas"| traverse is_attached_to, AWS_EC2_VOLUME, direction: backward