# Search syntax for recommendations

On the Recommendations page, you can filter and sort results by building advanced search queries using a custom syntax.

Date range limits
When filtering recommendations by date, the maximum date range is 30 days. You can browse data up to 90 days back from the current date.

## Structure

A full query consists of two optional clauses: `<WHERE>` and `<ORDER BY>`.
You can use these separately. If both clauses are used, `<WHERE>` must come first.

## WHERE clause

The `WHERE` clause identifies the data to filter. It filters results using the following structure:

- **Fields**: Data to filter (available via the autocomplete dropdown in the UI).
Open complete field list  - `Action ID`
  - `Action result`
  - `Action type`
  - `Application name`
  - `Assignee`
  - `Behavior input method`
  - `Behavior is inactivity`
  - `Behavior movement velocity`
  - `Behavior typing velocity`
  - `Campaign ID`
  - `Claimed user ID`
  - `Client name`
  - `Correlation ID`
  - `Device ID`
  - `Device MNC`
  - `Device fingerprint`
  - `Device is emulated`
  - `Device is spoofed`
  - `Device is tampered`
  - `Device model`
  - `Device name`
  - `Device power state`
  - `Device key ID`
  - `Device screen available height`
  - `Device screen available width`
  - `Device screen height`
  - `Device screen width`
  - `Device summer timezone offset`
  - `Device timezone`
  - `Device winter timezone offset`
  - `Fraud ring ID`
  - `IP`
  - `IP company name`
  - `IP location`
  - `Label source`
  - `Label subject`
  - `Label type`
  - `Label use case`
  - `List ID`
  - `Network ASN ID`
  - `Network ASN name`
  - `Network IP city`
  - `Network IP country`
  - `Network IP domain`
  - `Network IP organization type`
  - `Network IP region`
  - `Network IP timezone`
  - `Network is Tor`
  - `Network is VPN`
  - `Network is anonymizer`
  - `Network is proxy`
  - `Payee account number`
  - `Payee bank`
  - `Payee branch`
  - `Payee name`
  - `Payer account number`
  - `Payer bank`
  - `Payer branch`
  - `Payer name`
  - `Preview recommendation`
  - `Preview rule name`
  - `Reason`
  - `Recommendation`
  - `Recommendation was consumed`
  - `Risk score`
  - `Threat`
  - `Total devices per user`
  - `Total users per device`
  - `Transaction amount`
  - `Transaction currency`
  - `Transaction reason`
  - `User ID`
  - `User agent"
- **Supported Operators**:
  - `=`
  - `IN`
  - `BETWEEN` (only for numeric values)
- **Values**:
  - For `IN`: wrap values in parentheses

```
Action type IN (login, authenticated)
```
  - For `BETWEEN`: use parentheses and connect values with `AND`

```
Risk score BETWEEN (10 AND 95)
```
- **Logical Operators**:
Only `AND` is supported to combine multiple conditions.


### Examples

- `Recommendation = DENY`
- `Action type IN (login, authenticated)`
- `Recommendation = TRUST AND Action type IN (login, authenticated)`
- `Risk score BETWEEN (10 AND 95)`
- `Recommendation IN (CHALLENGE, DENY) AND Action type = authenticated AND Risk score BETWEEN (10 AND 95)`


## ORDER BY clause

The `ORDER BY` clause is used to sort the results based on a specific field, in either ascending or descending order.`ORDER BY` clauses are structured as follows:

- `ORDER BY`: keyword (constant)
- **Field**: Identifies the data to filter (available via the autocomplete dropdown in the UI).
Open complete field list  - `Action ID`
  - `Action result`
  - `Action type`
  - `Assignee`
  - `Behavior input method`
  - `Behavior is inactivity`
  - `Behavior movement velocity`
  - `Behavior typing velocity`
  - `Campaign ID`
  - `Correlation ID`
  - `Device ID`
  - `Device MNC`
  - `Device fingerprint`
  - `Device is emulated`
  - `Device is spoofed`
  - `Device is tampered`
  - `Device model`
  - `Device name`
  - `Device screen available height`
  - `Device screen available width`
  - `Device screen height`
  - `Device screen width`
  - `Device summer timezone offset`
  - `Device timezone`
  - `Device winter timezone offset`
  - `Fraud ring ID`
  - `IP`
  - `IP location`
  - `Label source`
  - `Label use case`
  - `Network ASN ID`
  - `Network ASN name`
  - `Network IP city`
  - `Network IP country`
  - `Network IP domain`
  - `Network IP organization type`
  - `Network IP region`
  - `Network IP timezone`
  - `Network is Tor`
  - `Network is VPN`
  - `Network is anonymizer`
  - `Network is proxy`
  - `Recommendation`
  - `Recommendation was consumed`
  - `Risk score`
  - `Total devices per user`
  - `Total users per device`
  - `User ID`
  - `User agent`
- **Direction**: `ASC` or `DESC`


### Examples

- `ORDER BY Risk score DESC`
- `ORDER BY Recommendation ASC`


## Full query example

`Recommendation IN (CHALLENGE, DENY) AND Action type = authenticated AND Risk score BETWEEN (10 AND 95) ORDER BY Risk score DESC`

Explanation:

Show me all the records where:

- the **recommendation** is either **CHALLENGE** or **DENY** → `Recommendation IN (CHALLENGE, DENY)`
- **and** the **action type** is exactly **authenticated** → `Action type = authenticated`
- **and** the **risk score** is between **10 and 95** (inclusive) → `Risk score BETWEEN (10 AND 95)`


...and sort the results by:

- **risk score**, from **highest to lowest** → `ORDER BY Risk score DESC`