This section describes the field types for advanced queries. What to read next Field Type: boolBoolean fields have only two possible values: the string true or false . Searches are case-insensitive. Field Type: cmdlineWhen a process launches on an endpoint, the command line for that process is sent to the Carbon Black EDR server. Field Type: countAn integer value. If it exists, the values are from 0 to MAXINT . It supports two types of search syntaxes. Field Type: datetimeDatetime fields have five types of search syntaxes Field Type: domainDomains are split into labels for query purposes. For example, “ example.com ” is split into “ example ” and “com”. Field Type: integerInteger fields are integer values (whole numbers, including 0). If it exists, the values are from 0 to MAXINT. Field Type: ipaddrIP addresses are searched with a CIDR notation. Field Type: ipv6addrIPv6 addresses are searched with a CIDR notation. Field Type: keywordKeywords are text fields with no tokenization. The term that is searched for must exactly match the value in the field; for example, process_name:svchost.exe. Field Type: md5md5 fields are keyword fields with an md5 hash value. Field Type: pathPath fields are special text fields. They are tokenized by path hierarchy. Field Type: sha256sha256 fields are keyword fields with a SHA-256 hash value. Field Type: signSignature fields can be one of the eight possible values. Field Type: textText fields are tokenized on whitespace and punctuation. Searches are case-insensitive. Parent topic: Advanced Search Queries
