# NQL Quick Reference Guide | | Field/Operator | Description | Example | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **General Format** | | `field operator value` | `dstport < 1024` | | **Boolean Operators** | `&& AND` | Logical AND | `condition1 AND condition2` | | | `\|\| OR` | Logical OR | `condition1 OR condition2` | | | `!` | Logical NOT | `!(condition)` | | **Comparison Operators** |

==
!=
<
<=
>
>=

|

Equals
Not Equals
Less than
Less than or equals to
Greater than
Greater than or equals to

|

field == value
field != value
field <= value
field > value
field >= value

| | **Spacing & Parentheses** | | Operators must have spaces before and after | `field == value` | | | `()` | Use parentheses for grouping | `condition1 OR (condition2 AND condition3)` | | | | Logic must be clear |

Valid: A OR (B AND C)
Not valid: A OR B AND C

| | **CIDR Notation** | `/24` | IP fields can use CIDR notation | `10.0.0.0/24` | | **Pattern Matching** | | Wildcards, Regex, Fuzzy | | | |

=
!

|

Match pattern
Match NOT pattern

| | | Supported Fields | Flow | `dstiprep.categories srciprep.categories tags` | | | | DNS | `answers.rdata query.domain query.host query.name query.publicsuffix` | | | | Events | `ipinfo.iprep.categories summary tags` | | | | Audit | `description` | | | **Wildcards** | `=~ *pattern` | Matches zero or more characters | `query.name =~ *at` | | | `!~ *pattern` | Negative match for zero or more characters | `query.name !~ *at` | | | `=~ ?pattern` | Matches any single character | `query.name =~ ?at` | | | `!~ ?pattern` | Negative match for any single character | `query.name !~ ?at` | | **Regular Expressions (Regex)** | `=~ /pattern/` | Matches using regex pattern | `query.name =~ /pattern/` | | | `!~ /pattern/` | Negative match using regex pattern | `query.name !~ /pattern/` | | **Regex: Text Boundary Anchors** | `^` | Beginning of a line or string: Matches the start of a string | `^cat` matches "cat" at the beginning of a string | | | `$` | End of a line or string: Matches the end of a string | `cat$` matches "cat" at the end of a string | | **Regex: Choice and Grouping** | `xy` | Matches "xy" | `abc` matches "abc" | | | `x OR y` | Matches "x" or "y" | `ax OR ye` matches "axe" or "aye"\` | | | `abc(def)?` | Grouping | `abc(def)?` matches 'abc' and 'abcdef' | | **Regex: Repetition** | `x*` | Zero or more occurrences of "x" | `a*` matches "", "a", "aa" | | | `x+` | One or more occurrences of "x" | `a+` matches "a", "aa" | | | `x?` | Zero or one occurrence of "x" | `a?` matches "" or "a" | | | `x{n,m}` | Between n and m occurrences of "x" | `a{2,4}` matches "aa", "aaa", "aaaa" | | | `x{n,}` | n or more occurrences of "x" | `a{2,}` matches "aa", "aaa" | | | `x{n}` | Exactly n occurrences of "x" | `a{3}` matches "aaa" | | **Regex: Character Classes** | `.` | Matches any single character | `c.t` matches "cat" and "cot" | | | `[abc]` | Matches any single character in the set | `[aeiou]` matches any vowel | | | `[^abc]` | Matches any single character not in the set | `[^aeiou]` matches consonants | | | `[a-z]` | Matches any single character in the range | `[a-z]` matches any lowercase letter | | **Regex: Numeric Ranges** |

<0-10>
<00-010>

|

Matches a numeric range
Matches a numeric range with leading 0s

| `<0-10>` matches any number from 0 to 10 | | **Regex: Case Insensitive** | `/pattern/i` | Matches the pattern without regard to case | `/neto/i` matches "neto","NETO",etc. | | **Regex: Special Characters** | `\` | Escapes special characters to be treated as literals | `\.` matches a literal period | | **Regex: Reserved Characters** | | `. ? + * OR { } [ ] ( ) " \\` | | | **Fuzzy Matching** | `=~ term~` | Matches using fuzzy logic | `query.name =~ cat~` | | | `!~ term~` | Negative fuzzy match | `query.name !~ cat~` | | | `=~ term~2` | Matches terms with a maximum distance of 2 changes | `query.name =~ cat~2` | | | `!~ term~2` | Negative match with a maximum distance of 2 changes | `query.name !~ cat~2` | See [Using NQL](https://docs.netography.com/netography-query-language/nql-overview-and-basics) for more detailed information.