Operators
The documentation covers LogScale operators and their usage in comparing field values across strings, numbers, and regular expressions, including detailed explanations of string comparison operators (=, !=, like), numeric operators (<, >, =, etc.), and logical operators (and, or, not). The guide also explains how operators interact with tag fields, provides examples of combining filters with Boolean operators, and demonstrates how to negate filter function expressions for more efficient querying.
Operators allow for comparisons of field values. Comparison operators work on strings, numbers, and/or regular expressions.
When using operators:
The left-hand-side of the operator is interpreted as a field name. If
200 = statuscodeis written, LogScale tries to find a field named200and test if its value isstatuscode. The value must much exactly, including the case.For more flexibility with filtering, use the
wildcard()function.If a specified field is not present in an event, the comparison always fails unless it is
!=. This behavior can be used to match events that don't have a given field, using eithernot (foo = *)or the equivalentfoo != *to find events that do not have the fieldfoo.When comparing two fields instead of a field and a value, use the
test()function. When usingtest(), the field and values correction uses double quotes to select what is a field and what is a value.test()uses eval expression syntax that is also available in other functions, includingeval(),if(), andcoalesce(). Also, in the evaluated short hand:logscale Syntaxfield := evalExpression.For more information on eval syntax, see Expressions.
Operators Reference
This reference provides a comprehensive list of all operators available in the CrowdStrike Query Language (CQL), organized by category and usage context.
Table: All Operators by Type
Comparison Operators
Comparison operators are used to compare field values in filter expressions.
Table: Comparison Operators
| Operator | Category | Description | Case Sensitive | Example |
|---|---|---|---|---|
=
| String/Numeric | Equal to (exact match for strings, numeric equality for numbers) | Yes |
statuscode = 404
|
!=
| String/Numeric | Not equal to | Yes |
statuscode != 200
|
like
| String |
Contains string (supports wildcards with
*)
| Yes |
class like "Bucket"
|
<
| Numeric | Less than | N/A |
statuscode < 400
|
<=
| Numeric | Less than or equal to | N/A |
statuscode <= 400
|
>
| Numeric | Greater than | N/A |
statuscode > 400
|
>=
| Numeric | Greater than or equal to | N/A |
statuscode >= 400
|
/regex/
| String/Pattern | Regular expression match | Configurable |
class = /Bucket/
|
Logical Operators
Logical operators combine filter expressions using Boolean logic.
Table: Logical Operators
Expression Operators
Expression operators are used within eval(),
test(), if(), and other
functions that accept expressions.
Comparison Operators in Expressions
Table: Expression Comparison Operators
| Operator | Description | Used In |
|---|---|---|
==
| Equal to |
test(), eval(),
expressions
|
!=
| Not equal to |
test(), eval(),
expressions
|
>=
| Greater than or equal to |
test(), eval(),
expressions
|
<=
| Less than or equal to |
test(), eval(),
expressions
|
>
| Greater than |
test(), eval(),
expressions
|
<
| Less than |
test(), eval(),
expressions
|
Arithmetic Operators
Table: Arithmetic Operators
| Operator | Description | Example |
|---|---|---|
+
| Addition |
a := b + c
|
-
| Subtraction |
a := b - c
|
*
| Multiplication |
a := b * c
|
/
| Division |
a := b / c
|
%
| Modulo |
a := b % c
|
Unary Operators
Table: Unary Operators
| Operator | Description | Example |
|---|---|---|
-
| Negation |
a := -b
|
!
| Logical NOT |
a := !b
|
Assignment and Field Operators
Table: Assignment and Field Operators
Special Operators
Table: Special Operators
| Operator | Description | Used In | Example |
|---|---|---|---|
| Link operator |
correlate() function
| Used to correlate fields between queries |
=>
| Match arrow |
match statements
|
pattern => pipeline
|
|
| Pipe operator | Pipeline construction |
query1 | query2
|
*
| Wildcard | Pattern matching |
field = *value*
|
Operator Precedence
In Filter Expressions
Operator precedence from highest to lowest:
In Eval Expressions
Operator precedence from highest to lowest:
Unary operators:
-,!Multiplicative:
*,/,%Additive:
+,-Comparison:
==,!=,>=,<=,>,<,<=>
Special Behaviors
Field Existence Testing
field = *- Matches events with the field presentfield != *- Matches events without the fieldnot (field = *)- Alternative syntax for field absence
Pattern Anchoring
Patterns in filters are automatically anchored (must match entire value) unless wildcards are used
Regular expressions are not anchored by default (use
^and$anchors explicitly)
Type Conversion
String values are automatically converted to numbers for numeric comparisons
Example:
statuscode = "404"converts404to number 404
Wildcards
*in patterns matches any sequence of charactersMultiple
*are equivalent to single*Cannot be escaped; use regex for literal asterisk matching
Comparison Operators on Strings
For string operators, the syntax assumes values to the right of the
operator are strings. In the following example, the string in question is
Bucket, as it directly to the right of the
operator like:
class like "Bucket"
The like operator also supports wildcards. In the next
example, like the operator will find entries that begin with
foo and end with
bar:
class like "foo*bar"Here is a list of comparison operators that are available to LogScale users:
| Operator | Case Sensitive | Description |
|---|---|---|
=
| Yes |
Field is equal to the entire declared string. Also achievable
using /regex/.
|
!=
| Yes |
Field does not equal the entire declared string. Also achievable
using /regex/.
|
like
| Yes |
Field is contains the declared string. Also achievable using
/regex/.
|
The like operator filters for fields containing the string,
but remains case sensitive. Take the following like operator
query:
class like "Bucket"Because the operator filtre is case sensitive, it is therefore also equivalent to the following query:
class like "*Bucket*"That query is therefore also equivalent to the next query:
class = *Bucket*Or
class like /Bucket/Or
class = /Bucket/Comparison Operators on Numbers
Numerical operators can be used to filter on a numerical value.
LogScale will attempt to convert the value to a number before
comparison, reporting an error if the value cannot be converted. To
compare two numerical values, use the test(). For the
following example, if statuscode
is a numeric value, the string will be converted to a number before
comparison:
statuscode = "404"The following is a table of comparison operators:
| Query | Description |
|---|---|
statuscode < 400
| Less than |
statuscode <= 400
| Less than or equal to |
statuscode = 400
| Equal to |
statuscode != 400
| Not equal to |
statuscode >= 400
| Greater than or equal to |
statuscode > 400
| Greater than |
400 = statuscode
|
The field 400 is equal to
statuscode.
|
400 > statuscode
|
This comparison generates an error. You can only perform a
comparison between numbers. In this example,
statuscode is not a number, and
400 is the name of a field.
|
Filtering on Tag Fields
Tag fields define datasources for a given event, and impact the storage and performance of queries. For more information, see Datasources. When filtering on a tag field, filters behave the same way as regular Query Filters. This is recommended to decrease query time by reducing the amount of data to be searched.
Due to performance implications, filtering on tag fields should be placed first in the query. For more information on running queries and selecting fields for filtering, see Multi-line queries ).
See the Parsing Event Tags documentation for more on tags.
Logical Operators
You can combine filters using the AND, OR,
NOT Boolean operators, and group them with parentheses.
! can also be used as an alternative to
unary not.
Important
In CQL, OR binds closer than AND in queries.
This differs from many other programming languages and environments, but
has been designed to aid the execution of queries where filtering (i.e.
selecting between values) is the primary activity.
Examples
| Query | Description |
|---|---|
foo and user=bar
|
Match events with foo in any field and a
user field matching
bar.
|
foo bar
|
Since the AND operator is implicit, you do not need
to include it in this simple type of query.
|
statuscode=404 and (method=GET or
method=POST)
|
Match events with 404 in their
statuscode field, and either
GET or POST in
their method field.
|
foo not bar
|
This query is equivalent to the query
foo and
(not bar).
|
!bar
|
This query is equivalent to the query not
bar.
|
not foo bar
|
This query is equivalent to the query (not foo) and bar. This is
because the NOT operator has a higher priority than
AND and OR.
|
foo and not bar or baz
|
This query is equivalent to the query foo
and ((not bar) or baz)
|
foo or not bar and baz
|
This query is equivalent to the query
(foo or (not bar)) and baz.
|
foo not statuscode=200
|
This query is equivalent to the query foo
and statuscode!=200.
|
Important
The Boolean operators AND and OR do not work
with functions. The following query will not complete:
regex(/disconnect/) AND !in(field="source.ip", values=["192.168.1.1", "192.178.1.1"])Instead, use pipes to to combine the filter expressions together in successive pipeline steps.
Negating the Result of Filter Functions
The operators NOT and ! can
also be used to negate filter function expressions, which is syntactically
more clean than passing in an explicit
negate=true argument. The following are
some examples of this concept:
...
| !cidr(ip, subnet="127.0.0/16")
| ...
...
| !in(field, values=[a, b, c])
| ...
...
| !regex("xxx")
| ...Link Operator
The link operator <=> is used within the
correlate() function to identify relationships
between individual constraints within the correlation. On the left side is
an ordinary field name; on the right side is the name of a field in a
different query — this is where query names become involved.
For more information, see correlate().