---
title: "Build Queries in Context Graph Search"
slug: "how-to-build-queries-in-context-graph-search"
updated: 2026-06-09T03:01:24Z
published: 2026-06-09T03:01:24Z
canonical: "help.silentpush.com/how-to-build-queries-in-context-graph-search"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.silentpush.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Build Queries in Context Graph Search

This guide walks you through creating, executing, editing, and saving queries in the Web Search tool within Silent Push. It focuses on **combining data sources**, such as Web Scan and Dark Web Scan, to build powerful, multifaceted queries that uncover hidden threats across the surface and deep web.

Web Search enables you to query our extensive database of over 100 Web Data elements, including unique content hashes for malware detection. Use **Simple Search** for an intuitive graphical interface (ideal for beginners) or **Advanced Search** for precise control with Silent Push Query Language (SPQL) syntax (for technical users).

Data sources such as Web Scan (surface web), Dark Web Scan (Tor/onion sites), Open Directory Scan, Banner Scan, and Whois Scan can be combined using `AND` logic to refine results. For example, stack Web Scan and Dark Web Scan to find domains that mimic your brand on both the clearnet and the dark web.

Refer to [SPQL Syntax Rules](/v1/docs/syntax) for operators and fields, and [SPQL Query Examples](/v1/docs/query-examples) for guidance.

## Access Web Search

1. From the navigation menu, select **Reconnaissance > Web Search**.
2. Choose the **Simple Search** or the **Advanced Search** tab.

![Context Graph Search interface showing data source selection and query generation options.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/Screenshot 2026-06-02 at 1.15.05 PM(1).png)

## Simple Search

Build queries visually by selecting data sources and adding expressions (Field + Operator + Value) linked by AND logic—stack sources by enabling multiple checkboxes.

### Create a Query

1. Click **New**.
2. **Select Data Sources**: Check at least one (e.g., **Web Scan** and **Dark Web Scan** to stack them).
3. **Build Expressions**:
  - **Field Name**: Dropdown or type (e.g., `domain`).
  - **Operator**: Select (e.g., `=`, `!=`, `*` for wildcard).
  - **Value**: Enter (e.g., `crypto*`).
4. **Add More Conditions**: Click the******sign****for additional expressions. ![Input fields for domain filtering with options for operator and value selection.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/Screenshot 2025-10-31 at 9.58.29 AM.png)
5. **Sort Order** (Optional): Select a field (e.g., `scan_date` descending).
6. Click **Search**.

> [!TIP]
> Stacking Web Scan + Dark Web Scan? Start with broad fields like `htmltitle` to cross-reference threats.

### Example: Stack Web and Dark Web for Phishing Domains

- **Data Sources**: Web Scan **AND** Dark Web Scan
- **Expression 1**: `domain` `=` `bank*`
- **Expression 2**: `htmltitle` `*` `login`
- **Sort**: `scan_date` (descending)
- **Result**: Bank-themed login pages on both surface and dark web, sorted newest first. ![Selecting data sources for a search query involving domain and HTML title.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/Screenshot 2025-10-31 at 10.04.27 AM.png)

### Edit and Save

- Enter **Name** and **Description**; click **Save**. Access saved queries via **My Searches**.
  - For more information, check out [Work with Web Search results](/v1/docs/working-with-web-scanner-results).
- Modify expressions post-search; click **Search** to re-run.

## Advanced Search: SPQL Syntax for Precise Stacking

Use command-line-like SPQL to stack sources explicitly with `datasource` conditions.

### Understand SPQL for Stacking

- SPQL queries: `field operator value [AND/OR] field operator value`.
- **To stack**: Use `datasource = "webscan" AND datasource = "torscan"` (for Web + Dark Web).
- Spaces separate elements; wildcards (`*`), regex (`~=`), and date math (e.g., `now-7d`) enhance precision.

### Create a Query

1. Select the **Advanced Search** tab; click **New**.
2. **Enter SPQL Query**: E.g., `datasource = "webscan" AND datasource = "torscan" AND domain = bank*`.
3. **Sort Order** (Optional): E.g., `scan_date/desc`.
4. Press **Enter** or click the blue arrow.

> [!NOTE]
> Tip
> 
> Test SPQL in the [CLI tool](/v1/docs/silent-push-command-line-interface-cli-guide) first for complex stacks.

### Example: Stack for Recent Threats

- **Query**: `datasource = "webscan" AND datasource = "torscan" AND htmltitle = "*credit card*" AND scan_date &gt; now-30d`
- **Sort**: `scan_date/desc`
- **Result**: Credit card mentions on the web and dark web from the last 30 days.

### Edit and Save

- Click **Web Scanner Search Form** to expand, modify, and re-run.
- Save is the same as Simple Search.

## Stacking in Action

| Example | Stacked Sources | SPQL/Simple Query | Expected Results |
| --- | --- | --- | --- |
| Brand Impersonation Across Webs | Web Scan + Dark Web | `datasource = "webscan" AND datasource = "torscan" AND favicon_murmur3 = "309020573" AND ssl.subject.organization != "YourBrand, Inc."` | Sites using your favicon without your cert, on clearnet and Tor. |
| Web Resources + Open Directory | `datasource = "webresources" AND datasource = "opendirectory" AND resource_hostname = "example.com" AND header.content-type = "*javascript*" AND scan_date &gt;= now-30d` | JS files on your site and open dirs, last 30 days. |  |
|  | WHOIS + Banner Scan | `datasource = "whois" AND datasource = "bannerscan" AND email = "suspicious@email.com" AND header.server != "nginx" AND scan_date &gt; now-90d` | Servers with matching WHOIS email, non-standard banners, and recent. |

## Troubleshooting and Tips

- **No Results?** Verify that data sources are enabled and check the field names in [Field Names](/v1/docs/spql-data-fields). Use broad wildcards first.
- **Performance**: Limit results with `limit=100` in API/CLI; stack sparingly for large queries.
- **API/CLI Integration**: Export saved queries to [API](/docs/SPQL-API-Guide) or [CLI](/docs/SPQL-CLI-Guide) for automation.
- **Errors**: Invalid SPQL? Escape quotes in values; regex needs `~=`.

## Resources

- [SPQL Syntax Rules](/docs/SPQL-Syntax-Rules)
- [SPQL Query Examples](/docs/SPQL-Query-Examples)
- [SPQL Data Sources](/docs/SPQL-Data-Sources)

A hidden part of the internet, accessible only through special software, where illicit activities, such as the sale of stolen data or malware, often occur, monitored by threat intelligence teams.

A suite of tools in a threat intelligence platform for scanning and analyzing web-based content, including clearnet, dark web, and non-web services, to identify threats and vulnerabilities.

Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history.