This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Prisma Cloud RQL json.rule options

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma Cloud RQL json.rule options

SPAUL2008
L1 Bithead

‎03-17-2026 09:52 AM

Hello,

Is it possible to use an array or list of values when comparing few values for a json.rule within an RQL?

 

For example, in the following RQL, can we combine the "tags[*].key" comparison values to a list of items (such as something like     'does not contain ["PatchGroup", "Patch Group", "patch-window", "prismacloud-scan"]') rather than having them defined separately?


config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key does not contain "Patch Group" and tags[*].key does not contain "PatchGroup" and tags[*].key does not contain "patch-window" and tags[*].value does not contain "prismacloud-scan"

 

Thanks,
Paul

0 Likes Likes
4 REPLIES 4

JCalloway1
L3 Networker

‎03-17-2026 11:08 AM

Hey Paul!
If the everything was the same, you could use a construction like "not in ()" or ". . . is not member of (string, string,string).  
However, you have two entries that are for "tags[*].key" and one that is for "tags[*].value", so since those are inconsistent, you can't put them in a list like above. 

(1)

SPAUL2008
L1 Bithead

‎03-17-2026 11:27 AM

Thank you. 
is not a member of ('','','')     seems to be working for the same parameter.

config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key is not member of ( 'Patch Group', 'PatchGroup', 'patching-window') and tags[*].value does not contain "prismacloud-scan"

0 Likes Likes

JCalloway1
L3 Networker

‎03-17-2026 11:29 AM

Hey Paul!
Excellent!  I'm glad that works!

0 Likes Likes

SPAUL2008
L1 Bithead
In response to SPAUL2008

‎03-17-2026 11:47 AM

Sorry, I spoke too soon. 
When comparing outputs from both of these queries side-by-side, I can see some false positives from the new one!

0 Likes Likes
  • 879 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks