Preview
Loads Smartscape nodes using a type pattern (use * for all types).
smartscapeNodes type [, from] [, to] [, timeframe], ...
Get a list of all unique smartscapeNodes.
smartscapeNodes "*"| fields type| dedup type
Get a list of the first 10 HOST nodes.
smartscapeNodes HOST| fields id, type| limit 10
Get a list of the first 10 HOST and PROCESS nodes.
smartscapeNodes { HOST, PROCESS }| fields id, type| limit 10
Get a list of the first 10 nodes fitting the pattern *EC2*.
smartscapeNodes "*EC2*"| fields id, type| limit 10
Loads Smartscape edges using an edge type pattern (use * for all types).
smartscapeEdges type [, from] [, to] [, timeframe ,] ...
Get a list of all runs_on edges.
smartscapeEdges runs_on
Get a list of all edges starting at Kubernetes Pods.
smartscapeEdges "*"| filter source_type == "K8S_POD"| summarize by:{type, target_type}, edges = count()
Get a list of all entity types that have a belongs_to edge leading to a Kubernetes Namespace.
smartscapeEdges belongs_to| filter target_type == "K8S_NAMESPACE"| dedup source_type| fields source_type
Get a list of all Kubernetes Deployment IDs that belong to a Kubernetes Namespace with a specific owner tag.
smartscapeEdges belongs_to| filter source_type == "K8S_DEPLOYMENT" and target_type == "K8S_NAMESPACE"| fieldsAdd namespace_tags = getNodeField(target_id, "tags")| filter namespace_tags[owner] == "john.doe@example.com"| fields source_id
Get a list of all entity types that have *to edges (for example, is_attached_to and belongs_to) leading to a Kubernetes Namespace.
smartscapeEdges "*to"| filter target_type == "K8S_NAMESPACE"| dedup source_type| fields source_type
Traverses source nodes to target nodes in the specified direction, following edge types defined by edgeTypes.
The traverse command follows the smartscapeNodes command. As an input for the source node, it takes records containing nodeId.
The command returns the target node with an additional field - dt.traverse.history, which is an array of records containing information about the source node. Every traverse operation adds a single record to dt.traverse.history. By default, the record contains the following fields: id, edge_type, and direction. More fields can be added to the record using the command's fieldsKeep parameter.
traverse edgeType, …, targetType, … [, direction] [, fieldsKeep: field, …] [, nodeId]
Traverse from all PROCESS nodes to the HOST they run on, keeping each process name in the traverse history.
smartscapeNodes PROCESS| traverse runs_on, HOST, direction: forward, fieldsKeep: name
Get a list of all Kubernetes Services that belong to Kubernetes Namespaces with a specific annotation.
smartscapeNodes K8S_NAMESPACE| filter tags[`example.com/annotation`] == "my-annotation"| traverse belongs_to, K8S_SERVICE, direction: backward
Get a list of process names and host names for all processes with a specific exe name by using the fieldsKeep parameter and accessing the dt.traverse.history field.
smartscapeNodes PROCESS| filter process.metadata[EXE_NAME] == "envoy"| traverse runs_on, HOST, fieldsKeep:name| fields process_name = dt.traverse.history[0][name], host_name = name
Find all EC2 volumes owned by a certain team that are attached to EC2 Instances.
smartscapeNodes AWS_EC2_INSTANCE| filter tags[dt_owner_team] == "team-piranhas"| traverse is_attached_to, AWS_EC2_VOLUME, direction: backward