Tokenized Search Terms

Certain search parameters in Cisco Vulnerability Management are designed to allow for case/location insensitive searches. 

  • os
  • cve_description
  • fix_title_keyword
  • hostname
  • application

How Tokenized searching works

In this type of query, each word in the parameter is searched for anywhere in the string and in any case. In other words, skip the quotes and you get case-insensitive and location-insensitive searching. 

os:"linux" / os:linux / os:(linux) = find term linux in any location and in any case

Screen_Shot_2020-08-06_at_6.32.31_PM__2_.png

os:(Windows Server) / os:(Windows OR Server) = find terms windows OR server in any location and in any case

Screen_Shot_2020-08-06_at_6.54.11_PM.png

os:(Windows AND Server) = find terms windows AND server in any location and in any case

Screen_Shot_2020-08-06_at_6.54.28_PM.png

os:"Windows Server" = find terms windows AND server in any case in the specified order. 

Screen_Shot_2020-08-06_at_6.53.45_PM.png

 

Tokenized search is efficient and can accommodate complex logic within the paren. For more information, see the queries shown in this article

Use wildcards to search

Tokenized searching should make wildcard search nearly obsolete but there may be occasions where they are still needed. Important point of note: 

Note: When a wildcard (* or ?) is added to a search, that search becomes a location and case sensitive text search.

os:"linux*" = find where "linux" is at the start of the string, is all lower case, with any text following. 

Screen_Shot_2020-08-06_at_6.33.02_PM.png

No results are found above because Linux is generally capitalized. 

 

os:"Linux*" = find where "Linux" is at the start of the string, is first letter capitalized, with text following.

Screen_Shot_2020-08-06_at_6.33.20_PM.png

 

The best use for wildcards is when you only want a small subgroup of information that is not differentiated by a whole word. In this example, you are looking for a specific version number and all of its subversions too:

os:"Linux - Linux - Linux - 2.6*" = find case sensitive whole string match for any 2.6 sub versions of Linux.  

Screen_Shot_2020-08-06_at_6.39.17_PM.png

 

Why do I want to avoid leading wildcards if possible?

While you might get the same results as a tokenized search, starting a query with a wildcard like os:”*Windows Server*” means that on the backend, Cisco Vulnerability Management needs to check every single entry in order to see if it matches as a String value. This is a very inefficient and costly function and for that reason you should not use leading wildcards to avoid query timeouts during periods of high load. 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.