Operators

The documentation covers LogScale operators and their usage in comparing field values across strings, numbers, and regular expressions, including detailed explanations of string comparison operators (=, !=, like), numeric operators (<, >, =, etc.), and logical operators (and, or, not). The guide also explains how operators interact with tag fields, provides examples of combining filters with Boolean operators, and demonstrates how to negate filter function expressions for more efficient querying.

Operators allow for comparisons of field values. Comparison operators work on strings, numbers, and/or regular expressions.

When using operators:

  • The left-hand-side of the operator is interpreted as a field name. If 200 = statuscode is written, LogScale tries to find a field named 200 and test if its value is statuscode. The value must much exactly, including the case.

  • For more flexibility with filtering, use the wildcard() function.

  • If a specified field is not present in an event, the comparison always fails unless it is !=. This behavior can be used to match events that don't have a given field, using either not (foo = *) or the equivalent foo != * to find events that do not have the field foo.

  • When comparing two fields instead of a field and a value, use the test() function. When using test(), the field and values correction uses double quotes to select what is a field and what is a value.

    test() uses eval expression syntax that is also available in other functions, including eval(), if(), and coalesce(). Also, in the evaluated short hand:

    logscale Syntax
    field := evalExpression.

    For more information on eval syntax, see Expressions.

Operators Reference

This reference provides a comprehensive list of all operators available in the CrowdStrike Query Language (CQL), organized by category and usage context.

Table: All Operators by Type

Type Operators
String Comparison =, !=, like
Numeric Comparison =, !=, <, <=, >, >=
Expression Comparison ==, !=, <, <=, >, >=, <=>
Logical AND, OR, NOT, !
Arithmetic +, -, *, /, %
Unary -, !
Assignment :=, =~
Special |, *, =>
Pattern /regex/, * (wildcard)

Comparison Operators

Comparison operators are used to compare field values in filter expressions.

Table: Comparison Operators

Operator Category Description Case Sensitive Example
= String/Numeric Equal to (exact match for strings, numeric equality for numbers) Yes statuscode = 404
!= String/Numeric Not equal to Yes statuscode != 200
like String Contains string (supports wildcards with *) Yes class like "Bucket"
< Numeric Less than N/A statuscode < 400
<= Numeric Less than or equal to N/A statuscode <= 400
> Numeric Greater than N/A statuscode > 400
>= Numeric Greater than or equal to N/A statuscode >= 400
/regex/ String/Pattern Regular expression match Configurable class = /Bucket/

Logical Operators

Logical operators combine filter expressions using Boolean logic.

Table: Logical Operators

Operator Description Precedence Example
AND Logical AND (implicit when space-separated) Lower than OR foo AND user=bar
OR Logical OR Higher than AND statuscode=404 OR statuscode=500
NOT Logical NOT (negation) Highest NOT bar
! Logical NOT (alternative syntax) Highest !bar

Important

In CQL, OR binds closer than AND, which is different from most programming languages. Space-separated terms are implicitly joined with AND.

The AND and OR operators do not work with function calls. Use pipes to combine filter expressions with functions.

Expression Operators

Expression operators are used within eval(), test(), if(), and other functions that accept expressions.

Comparison Operators in Expressions

Table: Expression Comparison Operators

Operator Description Used In
== Equal to test(), eval(), expressions
!= Not equal to test(), eval(), expressions
>= Greater than or equal to test(), eval(), expressions
<= Less than or equal to test(), eval(), expressions
> Greater than test(), eval(), expressions
< Less than test(), eval(), expressions

Arithmetic Operators

Table: Arithmetic Operators

Operator Description Example
+ Addition a := b + c
- Subtraction a := b - c
* Multiplication a := b * c
/ Division a := b / c
% Modulo a := b % c

Unary Operators

Table: Unary Operators

Operator Description Example
- Negation a := -b
! Logical NOT a := !b

Assignment and Field Operators

Table: Assignment and Field Operators

Operator Description Example
:= Field assignment (creates or updates field) field := expression
=~ Field shorthand (passes field to function) field =~ regex("pattern")

Special Operators

Table: Special Operators

Operator Description Used In Example
<=> Link operator correlate() function Used to correlate fields between queries
=> Match arrow match statements pattern => pipeline
| Pipe operator Pipeline construction query1 | query2
* Wildcard Pattern matching field = *value*

Operator Precedence
In Filter Expressions

Operator precedence from highest to lowest:

  1. NOT, ! (unary negation)

  2. OR

  3. AND (explicit or implicit)

In Eval Expressions

Operator precedence from highest to lowest:

  1. Unary operators: -, !

  2. Multiplicative: *, /, %

  3. Additive: +, -

  4. Comparison: ==, !=, >=, <=, >, <, <=>

Special Behaviors
Field Existence Testing
  • field = * - Matches events with the field present

  • field != * - Matches events without the field

  • not (field = *) - Alternative syntax for field absence

Pattern Anchoring
  • Patterns in filters are automatically anchored (must match entire value) unless wildcards are used

  • Regular expressions are not anchored by default (use ^ and $ anchors explicitly)

Type Conversion
  • String values are automatically converted to numbers for numeric comparisons

  • Example: statuscode = "404" converts 404 to number 404

Wildcards
  • * in patterns matches any sequence of characters

  • Multiple * are equivalent to single *

  • Cannot be escaped; use regex for literal asterisk matching

Comparison Operators on Strings

For string operators, the syntax assumes values to the right of the operator are strings. In the following example, the string in question is Bucket, as it directly to the right of the operator like:

logscale Syntax
class like "Bucket"

The like operator also supports wildcards. In the next example, like the operator will find entries that begin with foo and end with bar:

logscale Syntax
class like "foo*bar"

Here is a list of comparison operators that are available to LogScale users:

Operator Case Sensitive Description
= Yes Field is equal to the entire declared string. Also achievable using /regex/.
!= Yes Field does not equal the entire declared string. Also achievable using /regex/.
like Yes Field is contains the declared string. Also achievable using /regex/.

The like operator filters for fields containing the string, but remains case sensitive. Take the following like operator query:

logscale Syntax
class like "Bucket"

Because the operator filtre is case sensitive, it is therefore also equivalent to the following query:

logscale Syntax
class like "*Bucket*"

That query is therefore also equivalent to the next query:

logscale Syntax
class = *Bucket*

Or

logscale Syntax
class like /Bucket/

Or

logscale Syntax
class = /Bucket/

Comparison Operators on Numbers

Numerical operators can be used to filter on a numerical value. LogScale will attempt to convert the value to a number before comparison, reporting an error if the value cannot be converted. To compare two numerical values, use the test(). For the following example, if statuscode is a numeric value, the string will be converted to a number before comparison:

logscale Syntax
statuscode = "404"

The following is a table of comparison operators:

Query Description
statuscode < 400 Less than
statuscode <= 400 Less than or equal to
statuscode = 400 Equal to
statuscode != 400 Not equal to
statuscode >= 400 Greater than or equal to
statuscode > 400 Greater than
400 = statuscode The field 400 is equal to statuscode.
400 > statuscode This comparison generates an error. You can only perform a comparison between numbers. In this example, statuscode is not a number, and 400 is the name of a field.
Filtering on Tag Fields

Tag fields define datasources for a given event, and impact the storage and performance of queries. For more information, see Datasources. When filtering on a tag field, filters behave the same way as regular Query Filters. This is recommended to decrease query time by reducing the amount of data to be searched.

Due to performance implications, filtering on tag fields should be placed first in the query. For more information on running queries and selecting fields for filtering, see Multi-line queries ).

See the Parsing Event Tags documentation for more on tags.

Logical Operators

You can combine filters using the AND, OR, NOT Boolean operators, and group them with parentheses. ! can also be used as an alternative to unary not.

Important

In CQL, OR binds closer than AND in queries. This differs from many other programming languages and environments, but has been designed to aid the execution of queries where filtering (i.e. selecting between values) is the primary activity.

Examples

Query Description
foo and user=bar Match events with foo in any field and a user field matching bar.
foo bar Since the AND operator is implicit, you do not need to include it in this simple type of query.
statuscode=404 and (method=GET or method=POST) Match events with 404 in their statuscode field, and either GET or POST in their method field.
foo not bar This query is equivalent to the query foo and (not bar).
!bar This query is equivalent to the query not bar.
not foo bar This query is equivalent to the query (not foo) and bar. This is because the NOT operator has a higher priority than AND and OR.
foo and not bar or baz This query is equivalent to the query foo and ((not bar) or baz)
foo or not bar and baz This query is equivalent to the query (foo or (not bar)) and baz.
foo not statuscode=200 This query is equivalent to the query foo and statuscode!=200.

Important

The Boolean operators AND and OR do not work with functions. The following query will not complete:

Invalid Example for Demonstration - DO NOT USE
logscale
regex(/disconnect/) AND !in(field="source.ip", values=["192.168.1.1", "192.178.1.1"])

Instead, use pipes to to combine the filter expressions together in successive pipeline steps.

Negating the Result of Filter Functions

The operators NOT and ! can also be used to negate filter function expressions, which is syntactically more clean than passing in an explicit negate=true argument. The following are some examples of this concept:

logscale Syntax
...
| !cidr(ip, subnet="127.0.0/16")
| ...
...
| !in(field, values=[a, b, c])
| ...
...
| !regex("xxx")
| ...

Link Operator

The link operator <=> is used within the correlate() function to identify relationships between individual constraints within the correlation. On the left side is an ordinary field name; on the right side is the name of a field in a different query — this is where query names become involved.

For more information, see correlate().