Operators
Comparison Operators on Numbers
| Query | Description |
|---|---|
statuscode < 400
| Less than |
statuscode <= 400
| Less than or equal to |
statuscode = 400
| Equal to |
statuscode != 400
| Not equal to |
statuscode >= 400
| Greater than or equal to |
statuscode > 400
| Greater than |
400 = statuscode
|
(!) The field '400' is equal to
statuscode.
|
400 > statuscode
|
This comparison generates an error. You can only perform a
comparison between numbers. In this example,
statuscode is not a number, and
400 is the name of a field.
|
Note
The left-hand-side of the operator is interpreted as a field name. If
you write 200 = statuscode, LogScale
tries to find a field named 200 and
test if its value is statuscode.
Warning
If the specified field is not present in an event, then the comparison
always fails — unless it is !=.
You can use this behavior to match events that do not have a given
field, using either not (foo = *) or
the equivalent foo != * to find events
that do not have the field foo.
Tag Filters
Tag filters are a special kind of field filter. They behave in the same way as regular Query Filters.
In queries, the tag filters are usually separated from the rest of the
query by a pipe character | (see
Multi-line Queries ). We
recommend that you include the pipe character before tag filters to
improve the readability of your queries.
However, these pipe characters are not mandatory. The LogScale query engine can recognize tag filters, and use this information to narrow down the number of data sources to search. This feature decreases query time.
See the Event Tags documentation for more on tags.
Logical Operators
You can combine filters using the and,
or, not
Boolean operators, and group them with parentheses.
! can also be used as an alternative to
unary not.
Examples
| Query | Description |
|---|---|
foo and user=bar
|
Match events with foo in any
field and a user field matching
bar.
|
foo bar
|
Since the and operator is
implicit, you do not need to include it in this simple type of
query.
|
statuscode=404 and (method=GET or method=POST)
|
Match events with 404 in their
statuscode field, and either
GET or POST in
their method field.
|
foo not bar
|
This query is equivalent to the query foo and
(not bar).
|
!bar
|
This query is equivalent to the query not bar.
|
not foo bar
|
This query is equivalent to the query (not foo) and bar. This is
because the not operator has a
higher priority than and and
or.
|
foo and not bar or baz
| This query is equivalent to the query foo and ((not bar) or baz). This is because LogScale has a defined order of precedence for operators. It evaluates operators from the left to the right. |
foo or not bar and baz
|
This query is equivalent to the query foo or ((not bar)
and baz). This is because LogScale has a defined order of
precedence for operators. It evaluates operators from the left
to the right.
|
foo not statuscode=200
|
This query is equivalent to the query foo and
statuscode!=200.
|
Negating the Result of Filter Functions
The not and
! operators can also be used to negate
filter function expressions, which is syntactically more clean than
passing in an explicit negate=true
argument. Examples of this are
...
| !cidr(ip, subnet="127.0.0/16")
| ...
...
| !in(field, values=[a, b, c])
| ...
...
| !regex("xxx")
| ...