Skip to main content

VQL for Resource Reports

This page describes how to use VQL when querying Resource Reports in the API or using the Terraform Provider.

tip

If you need help constructing a VQL query, navigate to the Resource Reports page and click New Resource Report. From the top left, open the Filters menu. Create a filter and click the View as VQL button at the top of the Filters menu to see a filter's VQL representation. You can copy this syntax to use within your API calls.

Resource Reports VQL Schema

VQL for Resources Reports comprises two namespaces: resources and tags, which represent the available filters on Resource Reports in the Vantage console. To reference a filter, use the following syntax: namespace.field (e.g., resources.region or tags.name). The following fields are available within these namespaces.

NamespaceFieldVQL Example
resourcesproviderProviders example
regionRegion example
account_idAccount example
provider_account_idBilling Account example
typeResource Type example
labelLabel example
uuidUUID (AWS ARN) example
metadataMetadata example
tagsname
value
note

Availability of the fields listed above varies among different cloud providers. See the Resource Reports documentation for a full list of filter fields available per provider.

Keywords

VQL includes a set of keywords to create complex filter conditions. These keywords function similar to their SQL equivalents.

KeywordDescriptionVQL SampleExplanation
ANDLogical AND operatorresources.provider = 'aws' AND resources.label = '123456'This example filters AWS resources, with a specific associated label, where both conditions must be true.
ORLogical OR operator(resources.provider = 'aws') OR (resources.provider = 'gcp')This example retrieves resources from either AWS or GCP. At least one condition must be true.
LIKE and NOT LIKEPerforms string comparisonsresources.provider = 'aws' AND resources.uuid LIKE '%arn:aws:s3:::my-bucket%''This example selects data where the resource ARN contains arn:aws:s3:::my-bucket, such as arn:aws:s3:::my-bucket-123.

This same query also works for NOT LIKE where data does not contain a particular string: resources.provider = 'aws' AND resources.uuid NOT LIKE '%arn:aws:s3:::my-bucket%'.
IN/NOT INUsed to compare against an array list(resources.provider = 'aws' AND (resources.region IN ('ap-northeast-1','ap-northeast-3')))This example filters based on a list of regions, returning data for the specified regions

You can also use NOT IN to find results that are anything but the items within the list: (resources.provider = 'aws' AND (resources.region NOT IN ('ap-northeast-1','ap-northeast-3')))
!=Represents negation, "is not"resources.provider = 'azure' AND (resources.type != 'azurerm_public_ip' AND resources.type != 'azurerm_kubernetes_cluster')This example filters out data from two specified resource types, providing all Azure resources that are not these types.
<, >, <=, >=Mathematical operators for numerical queriesresources.provider = 'azure' AND (resources.type = 'azurerm_virtual_machine' AND resources.metadata->>'virtual_machine_size' > '7')This example looks for Virtual Machines that have a size greater than 7.
->>This operator is used only when constructing queries related to metadataresources.provider = 'aws' AND (resources.type = 'aws_instance' AND resources.metadata->>'architecture' = 'x86_64')This example looks for EC2 instances with an architecture of x86_64.

With these operators and keywords, you can construct complex filter conditions in VQL.

VQL Examples

The following examples cover common use cases for VQL.

Combining Providers

Filter for provider resources associated with either AWS or GCP.

(resources.provider = 'aws') OR (resources.provider = 'gcp')

Costs from a List of Regions

Filter for AWS costs in two regions. Note that you will need to use the region code, such as us-east-1.

resources.provider = 'aws' AND (resources.region = 'us-east-1' OR resources.region = 'us-west-1')

Costs by Account ID

Costs for a specific set of resource types and account ID.

resources.provider = 'gcp' AND (resources.account_id = 'user-proj-1234') AND (resources.type = 'google_compute_disk' OR resources.type = 'google_compute_instance')

Costs by Billing Account

Costs for a specific billing account.

resources.provider = 'aws' AND (resources.provider_account_id = '11111111111')

Costs by Resource Type

Filter costs to see a specific resource type. In the example below, the query is looking for any AWS resource that is not an AWS CloudFront Distribution. Resource types are represented like aws_cloudfront_distribution. Expand the box below for a list of all available resource types and their VQL equivalents.

resources.provider = 'aws' AND (resources.type != 'aws_cloudfront_distribution')
Resource Type VQL Representations
ProviderVQL RepresentationFriendly Name
AWSaws_batch_job_definitionBatch Job Definition
AWSaws_mq_brokerMQ Broker
AWSaws_cloudfront_distributionCloudFront Distribution
AWSaws_cloudtrailCloudTrail
AWSaws_codebuild_projectCodeBuild Project
AWSaws_codepipelineCodePipeline
AWSaws_config_config_ruleConfig Rule
AWSaws_ecr_repositoryECR Repository
AWSaws_ecs_serviceECS Service
AWSaws_docdb_cluster_instanceDocumentDB Cluster Instance
AWSaws_route53_zoneRoute 53 Zone
AWSaws_dynamodb_tableDynamoDB Table
AWSaws_ec2_reserved_instanceEC2 Reserved Instance
AWSaws_eks_clusterEKS Cluster
AWSaws_elasticache_clusterElastiCache Cluster
AWSaws_efs_file_systemEFS File System
AWSaws_elasticsearch_domainElasticsearch Domain
AWSaws_lambda_functionLambda Function
AWSaws_glacier_vaultGlacier Vault
AWSaws_globalaccelerator_acceleratorGlobal Accelerator
AWSaws_glue_jobGlue Job
AWSaws_internet_gatewayInternet Gateway
AWSaws_eipElastic IP
AWSaws_msk_clusterMSK Cluster
AWSaws_kms_keyKMS Key
AWSaws_lbLoad Balancer
AWSaws_cloudwatch_log_groupCloudWatch Log Group
AWSaws_mediaconnect_flowMediaConnect Flow
AWSaws_mediaconvert_jobMediaConvert Job
AWSaws_medialive_channelMediaLive Channel
AWSaws_media_package_channelMediaPackage Channel
AWSaws_media_package_vod_assetMediaPackage VOD Asset
AWSaws_media_store_containerMediaStore Container
AWSaws_media_tailor_channelMediaTailor Channel
AWSaws_media_tailor_playback_configurationMediaTailor Playback Configuration
AWSaws_nat_gatewayNAT Gateway
AWSaws_network_interfaceNetwork Interface
AWSaws_outposts_outpostOutposts Outpost
AWSaws_ec2_managed_prefix_listEC2 Managed Prefix List
AWSaws_db_instanceRDS Instance
AWSaws_rds_reserved_instanceRDS Reserved Instance
AWSaws_db_snapshotRDS Snapshot
AWSaws_redshift_clusterRedshift Cluster
AWSaws_route53_resolver_query_log_configRoute 53 Resolver Query Log Config
AWSaws_route_tableRoute Table
AWSaws_s3_bucketS3 Bucket
AWSaws_sagemaker_modelSageMaker Model
AWSaws_savings_planSavings Plan
AWSaws_secretsmanager_secretSecrets Manager Secret
AWSaws_sns_topicSNS Topic
AWSaws_sqs_queueSQS Queue
AWSaws_subnetSubnet
AWSaws_ecs_task_definitionECS Task Definition
AWSaws_transfer_serverTransfer Server
AWSaws_ec2_transit_gatewayEC2 Transit Gateway
AWSaws_instanceEC2 Instance
AWSaws_instance_snapshotEC2 Instance Snapshot
AWSaws_ebs_volumeEBS Volume
AWSaws_vpcVPC
AWSaws_vpc_endpointVPC Endpoint
AWSaws_flow_logFlow Log
AWSaws_vpc_peering_connectionVPC Peering Connection
AWSaws_vpn_gatewayVPN Gateway
AWSaws_wafv2_web_aclWAFv2 Web ACL
AWSaws_workspaces_workspaceWorkSpaces Workspace
Azureazurerm_application_gatewayApplication Gateway
Azureazurerm_application_insightsApplication Insights
Azureazurerm_app_service_planApp Service Plan
Azureazurerm_firewallFirewall
Azureazurerm_snapshotSnapshot
Azureazurerm_container_registryContainer Registry
Azureazurerm_cosmosdb_accountCosmosDB Account
Azureazurerm_databricks_workspaceDatabricks Workspace
Azureazurerm_managed_diskManaged Disk
Azureazurerm_dns_zoneDNS Zone
Azureazurerm_sql_elasticpoolSQL Elastic Pool
Azureazurerm_express_route_circuitExpressRoute Circuit
Azureazurerm_lbLoad Balancer
Azureazurerm_log_analytics_workspaceLog Analytics Workspace
Azureazurerm_logic_app_workflowLogic App Workflow
Azureazurerm_kubernetes_clusterKubernetes Cluster
Azureazurerm_nat_gatewayNAT Gateway
Azureazurerm_postgresql_flexible_serverPostgreSQL Flexible Server
Azureazurerm_postgresql_serverPostgreSQL Server
Azureazurerm_powerbi_dedicated_capacityPower BI Dedicated Capacity
Azureazurerm_private_endpointPrivate Endpoint
Azureazurerm_public_ipPublic IP
Azureazurerm_recovery_services_vaultRecovery Services Vault
Azureazurerm_redis_cacheRedis Cache
Azureazurerm_security_center_pricingSecurity Center Pricing
Azureazurerm_sql_databaseSQL Database
Azureazurerm_sql_managed_instanceSQL Managed Instance
Azureazurerm_storage_accountStorage Account
Azureazurerm_synapse_workspaceSynapse Workspace
Azureazurerm_virtual_machineVirtual Machine
Azureazurerm_virtual_machine_scale_setVirtual Machine Scale Set
Azureazurerm_virtual_network_gatewayVirtual Network Gateway
Googlegoogle_alloydb_backupAlloyDB Backup
Googlegoogle_alloydb_clusterAlloyDB Cluster
Googlegoogle_alloydb_instanceAlloyDB Instance
Googlegoogle_app_engine_serviceApp Engine Service
Googlegoogle_bigquery_datasetBigQuery Dataset
Googlegoogle_bigtable_instanceBigtable Instance
Googlegoogle_compute_diskCompute Disk
Googlegoogle_compute_instanceCompute Instance
Googlegoogle_container_clusterContainer Cluster
Googlegoogle_dataflow_jobDataflow Job
Googlegoogle_firestore_databaseFirestore Database
Googlegoogle_cloudfunctions_functionCloud Functions Function
Googlegoogle_logging_project_bucket_configLogging Project Bucket Config
Googlegoogle_redis_instanceRedis Instance
Googlegoogle_cloud_run_serviceCloud Run Service
Googlegoogle_secret_manager_secretSecret Manager Secret
Googlegoogle_spanner_instanceSpanner Instance
Googlegoogle_sql_database_instanceSQL Database Instance
Googlegoogle_storage_bucketStorage Bucket
Kuberneteskubernetes_workloadKubernetes Workload
Confluentconfluent_kafka_clusterKafka Cluster
MongoDBmongodbatlas_clusterAtlas Cluster
Linodelinode_instanceInstances
Linodelinode_node_balancerNode Balancer
Linodelinode_volumeVolume
Linodelinode_object_storageObject Storage
Linodelinode_kubernetes_clusterKubernetes Clusters
Linodelinode_imageImages

Costs by Label

Resource costs by specific label.

resources.provider = 'aws' AND resources.label = '123456'

Costs for Specific ARN

The UUID is the unique identifier for the resource. In the case of AWS resources, this is the ARN. The below example shows a query for resources that contain specific text within the ARN.

resources.provider = 'aws' AND resources.uuid LIKE '%arn:aws:s3:::my-bucket%'

Resource Metadata Costs

Resource metadata costs require both provider and type as well as metadata. Metadata uses a specific syntax (e.g., resources.metadata->>'domain' = 'vantage.sh').

resources.provider = 'aws' AND (resources.type = 'aws_cloudfront_distribution' AND resources.metadata->>'domain' = 'vantage.sh')

Filter by Tag

Filter resources based on a specific tag, such as terraform, with the value true, in AWS.

resources.provider = 'aws' AND (tags.name = 'terraform' AND tags.value = 'true')

Filter for Untagged Resources

On providers that have a Not Tagged filter option in the console, you can use the below VQL to see untagged resources. This example looks for untagged resources in a multi-cloud environment.

resources.provider = 'gcp' AND tags.name = NULL) OR (resources.provider = 'aws' AND tags.name = NULL