x = y
| = is an "equal" operator. The expression e = y checks whether x is equal to y. If x is equal to y, the expression returns true.
| user = admin returns true for events where the user is an administrator
|
e != y
| != is a "not" operator. The expression e != y checks whether e is equal to y. If e is equal to y, the expression returns false.
| user != "admin" returns true for events where the user is not an administrator
|
e NOT y
| NOT is "not" operator. The expression e NOT y checks whether e is equal to v. If e is equal to y, the expression returns false.
| user NOT admin returns true for events where the user is not an administrator
|
not(expression)
| Checks whether expression is true. If expression is true, the expression returns false. | not(admin = user) returns true for events where the user is not an administrator
|
x && y
| && is an "and"operator. The expression x && y checks whether both x and y are true. If either x or y is false, the expression returns false.
An alternative form of the AND operator and and() expression | src_ip = "192.168.1.2" && EventType = "Login" returns true for login events from source IP address 192.168.1.2
|
x AND y
| AND is an "and" operator. The expression x AND y checks whether both e1 and e2 are true. If either x or y is false, the expression returns false.
An alternative form of the && operator and and() expression. | src_ip = '192.168.1.2" AND EventType = "Login" returns true for login events from source IP address 192.168.1.2
|
and(e1, ..., en)
| Checks whether all of the arguments e1 ... en are true. If any argument is false, the expression returns false. The expression form of the && and AND operators. | and(src_ip = "192.168.1.2", EventType = "Login") returns true for login events from source IP address 192.168.1.2
|
x || y
| || is an "or" operator. The expression x || y checks whether x or y are true. If either are true, the expression returns true. If both are false, the expression returns false.
| src_ip = "192.168.1.1" || src_ip = "192.168.1.2" returns true for events where source IP address is 192.168.1.1 or 192.168.1.2
|
x OR y
| OR is an "or" operator. The expression x OR y checks whether x or y are true. If either are true, the expression returns true. If both are false, the expression returns false.
| src_ip = "192.168.1.1" OR src_ip = "192.168.1.2" returns true for events where source IP address is 192.168.1.1 or 192.168.1.2
|
or(e1, ..., en)
| Checks whether any of the arguments e1 ... en are true. If all arguments are false, the expression returns false. | or(src_ip = "192.168.1.1", src_ip = "192.168.1.2") returns true for events where source IP address is 192.168.1.1 or 192.168.1.2
|
toBoolean(expression)
| Cast operation that converts expression to a boolean value. | toBoolean("hello") returns true
|
if(expression, if-true, if-false)
| Evaluates expression. If true, returns if-true; otherwise, returns if-false. An alternative form of returnIf(). | if(1>0, 10, 5) returns 10
|
returnIf(expression, if-true, if-false
| Evaluates expression. If true, returns if-true; otherwise, returns if-false. An alternative form of if(). | returnIf(1>0,10, 5) returns 10
|
in(expression, e1 ..., en)
| Checks whether the value of expression is equal to any of the values e1 ... en. An alternative form of inList(). | in(2, 1, 2, 3) returns true
|
inList(expression, e1, ..., en)
| Checks whether the value of expression is equal to any of the values e1 ... en. An alternative form of in(). | inList(2, 1, 2, 3,) returns true
|
exists(v1, v2, ..., vn)
| Checks if all values are defined and non-empty. | exists(1, "text", null) returns false
|
first(e1, ..., en)
| Returns the first expression e1 ... en that evaluates to true, non-empty, or non-zero. If none evaluate to true, non-empty, or non-zero, returns null. | first(false, 0, 3) returns 3
|
