When searching for assets, you can filter the search results by specifying a query made up of an asset metadata field, an operator, and a value.
Searchable fields and resources
For fields you can use in a searchAllResources
query, see
ResourceSearchResult Fields.
For fields you can use in a searchAllIamPolicies
query, see
IamPolicySearchResult Fields.
For resources you can search for, see Resource types.
Text matching
When searching for a text match, you can match an asset metadata field exactly or partially.
Exact text matching
For an exact text match, use the =
(equals) operator with the following
syntax:
ASSET_METADATA_FIELD=QUERY
For example:
location=us-central1-a
Keep the following rules in mind when performing an exact text match:
For the query to be true, the query value must exactly match the value of the asset metadata field.
For a field with a list value, if the query value matches one of the list's elements, it's considered a match.
Query values are case-sensitive.
An exact match query value is treated like a phrase, but can't contain wildcards.
Partial text matching
For a partial text match, use the :
(has) operator with the following syntax:
ASSET_METADATA_FIELD:QUERY
For example:
location:us-central1
When performing a search with the :
operator, the query value and asset
metadata field values are
converted to tokens
for comparison. Each word of the query value is checked to find out if it exists
in consecutive order in the value of the asset metadata field. When using
partial matches, the query values are case-insensitive.
Partial match query values can be a phrases or a combination of phrases, and can contain wildcards. Up to 10 comparisons can be made in a query, with a maximum of 2048 characters. If you have a use case for longer queries, contact gcp-asset-inventory-and-search-feedback@googlegroups.com.
Tokenization rules
The tokenization rules for partial text matching are as follows:
Leading and trailing special characters are removed.
Characters that aren't alphanumeric (
[a-zA-Z0-9]
), underscores (_
), or ampersands (&
) are treated as delimiters.
Here are some tokenization examples:
us-central1
is tokenized to[us,central1]
alex-2020@EXAMPLE.com
is tokenized to[alex,2020,example,com]
google.com/cloud
is tokenized to[google,com,cloud]
Compute %Instance%
is tokenized to[compute,instance]
$%^*-!
is tokenized to[]
compute*storage
is tokenized to[compute,storage]
compute&storage
is tokenized to[compute&storage]
ALEX_test@example.com
is tokenized to[alex_test,example,com]
instance/_my_vm_
is tokenized to[instance,_my_vm_]
Exact and partial text matching examples
An asset whose location
field has the value us-central1-a
matches the
following queries.
Query | Reason for the match |
---|---|
location=us-central1-a |
Matches because the phrase us-central1-a is
exactly the same as the field's value.
|
location:US-Central1-A |
Matches because punctuation characters are treated as delimiters, and the query value is case-insensitive. |
location:"us central1 a" |
Matches because words in the phrase "us central1 a"
match the field value in consecutive order.
|
location:(central1 us a) |
Matches because words in the combination
(central1 us a) match the words in the field value in
any order.
|
location:(a "us central1") |
Matches because the phrases inside the combination,
a and "us central1" , match the words in
the field value in any order. Because "us central1" is a
phrase, these words must be matched in consecutive order.
|
location:us-central* |
Matches because the wildcard * is used to make a prefix
match.
|
An asset whose location
field has value us-central1-a
doesn't match
the following queries.
Query | Reason for not matching |
---|---|
location=US-central1-a |
Doesn't match because the phrase is case-sensitive. Use the
: operator instead for case-insensitive matches.
|
location=us-central1 |
Doesn't match because the phrase partially matches the field's value.
Use the : operator instead for partial matches.
|
Construct a text match query
A query value can be made up of phrases, combinations, negations, and wildcards.
Phrases
A phrase is one or more words that are matched in order. To match words without respecting order, use combinations instead.
The following query matches assets whose policy
field has the word alex
and the word 2020
in consecutive order:
policy:"alex 2020"
An asset whose policy
field value is "alex.2020@example.com"
matches the
query, because the words alex
and 2020
are in consecutive order. The
.
is ignored as punctuation is treated as a delimiter.
An asset whose policy
field value is "2020.alex@example.com"
or
"alex.us.2020@example.com"
doesn't match, because the words alex
and 2020
aren't in consecutive order.
Construct a phrase
Keep the following rules in mind when you construct a phrase:
If the phrase only contains ISO basic Latin alphabet characters
[a-zA-Z]
, numbers[0-9]
, basic email or URL connectors[_-+.@/&]
, or wildcards[*]
, it doesn't need to be wrapped in double quotation marks:policy:alex.2020@example.com
However, wrapping in double quotation marks still works, and behaves the same:
policy:"alex.2020@example.com"
If the phrase has spaces or other special characters it must be wrapped in double quotation marks:
location:"us central1"
If the phrase is wrapped in double quotation marks and also contains a double quotation mark (
"
) or backslash (\
), you must escape them as\"
or\\
. Alternatively, replace them with a single space as non-alphanumeric characters are treated as delimiters when performing a search. The following queries are treated the same:description:"One of \"those\" descriptions." description:"One of those descriptions."
When using the gcloud CLI or the REST API, you need to escape the double quotation marks used to indicate a phrase:
--query="location:(a \"us central1\")"
"query": "location:(a \&q
uot;us central1\")"
Combinations
Search phrases can be combined using the uppercase logical operators AND
or
OR
. Including AND
is optional when using parentheses. For example, the
following queries are treated the same:
policy:(alex charlie)
policy:(alex AND charlie)
If an asset contains a metadata field with a list of values, an AND
combination doesn't guarantee that all words must be in a single element. For
example, if a metadata field is
policy=["alex@example.com", "bola@example.com", "charlie@example.com"]
,
searching with policy:(alex charlie)
matches, because alex@example.com
contains alex
, and charlie@example.com
contains charlie
.
You can use parentheses to group combination types. The following example
returns assets that have a policy field that contains alex
and charlie
in
any order, or assets that have a policy field that contains bola
.
policy:((alex charlie) OR bola)
You can use a phrase inside a combination to match multiple words in consecutive
order. The following example returns assets that have a policy field that
contains alex
and 2020
in consecutive order, or bola
:
policy:(("alex 2020") OR bola)
Combination examples
The following queries demonstrate various combinations. Note the placement
of parentheses to separate AND
and OR
operators. Combining operators within
a single set of parentheses is invalid, for example:
policy:(alex charlie OR bola)
.
Query | Description |
---|---|
policy:(alex charlie) |
Returns assets whose policy field contains both
alex and charlie .
|
policy:(alex OR charlie) |
Returns assets whose policy field contains either
alex or charlie .
|
policy:((alex charlie) OR bola) |
Returns assets whose policy field contains both
alex and charlie , or has the word
bola .
|
policy:(alex charlie) OR name:bola |
Returns assets whose policy field contains
alex and charlie or whose name
field contains bola .
|
Negation
Search queries can be negated using the uppercase NOT
operator. Parentheses
are supported but not required.
Negation examples
Return assets whose
state
field doesn't contain the wordrunning
.NOT state:running
Return assets whose
policy
field contains neitheralex
norcharlie
.NOT policy:(alex OR charlie)
Return assets whose
networkTags
field doesn't containinternal
orprivate
.NOT (networkTags:internal OR networkTags:private)
Wildcards
Asterisks (*
) can be used in a phrase as a wildcard character. Depending on
position, an asterisk can have different meanings.
If
*
is at the end of a phrase, it's treated as a token prefix match. For example,"al 20*"
is equivalent to(al* 20*)
. The order of prefixes doesn't matter.The phrase
"al 20*"
matches a field value with a token starting withal
(such asalex
), and a token starting with20
(such as2020
).For
labels
, if the whole query value only contains a single*
—for example,"labels.env:*"
—it represents an existence check. That is, Cloud Asset Inventory checks whether the label keyenv
exist. Only thelabels
field supports existence checks.If
*
is in the middle of a phrase—for example,"compute*storage"
—it is treated as a tokenization delimiter. This query value is equivalent to"compute storage"
.If
*
is at both the beginning and the end of a phrase, for example,"*compute storage*"
, it is treated as a tokenization delimiter. This query value is equivalent to"compute storage"
.
Numerical and timestamp comparison
For numerical and timestamp comparison, use comparison operators with the following syntax:
ASSET_METADATA_FIELD>=QUERY
The available comparison operators are as follows:
=
: equal to>
: greater than>=
: greater than or equal to<
: less than<=
: less than or equal to
To compare against timestamps such as those stored in the createTime
and
updateTime
asset metadata fields, use a 64-bit signed integer (the epoch
timestamp in seconds) or a UTC+0 datetime string in one of following formats:
2021-01-01
(YYYY-MM-DD)"2021-01-01T00:00:00"
("YYYY-MM-DDThh:mm:ss")
Datetime examples
An asset whose createTime
field has value 1609459200
(epoch timestamp of
2021-01-01T00:00:00
) matches the following queries:
createTime=1609459200
createTime=2021-01-01
createTime="2021-01-01T00:00:00"
createTime>1500000000
createTime>2020-01-01
createTime>"2020-01-01T00:00:00"
createTime>=1609459200
createTime>=2021-01-01
createTime>="2021-01-01T00:00:00"
createTime<1700000000
createTime<2022-01-01
createTime<"2022-01-01T00:00:00"
createTime<=1609459200
createTime<=2021-01-01
createTime<="2021-01-01T00:00:00"