index
Boolean expressions
Search Anywhere Framework Languqage (SAFL) supports the boolean logical operators AND, OR and NOT.
| operator | **** |
|---|---|
AND | The result of x AND y is true if both x and y evaluate to true. |
OR | The result of x OR y is true if either x or y evaluates to true. Otherwise, the result is false. |
NOT | The NOT operator computes logical negation of its operand. That is, it produces true, if the operand evaluates to false, and false, if the operand evaluates to true. |
In SAFL searching using the AND and OR operators is usually more efficient than searching with Not. Because Not search looks at all events to further exclude them.
Execution order
In SAF, the order in which Boolean expressions are executed depends on whether the expression is used with a search command or a where command.
Order of execution of Boolean expressions:
| Order | search command | where command |
|---|---|---|
| 1 | Expressions in parentheses "()" | Expressions in parentheses "()" |
| 2 | operator NOT | operator NOT |
| 3 | operator AND | operator OR |
| 4 | operator OR | operator AND |
Examples of Boolean expression execution
Operator order in search and where commands
For the search command without using parentheses, the order of processing logical expressions is:
source wineventlog-*
| search event.code="4768" AND event.outcome="success" OR event.action="logged-in"
| table event.code, event.outcome, event.action
Processing order (use the table above):
(3)event.code="4768" AND (3) event.outcome="success" OR (4) event.action="logged-in"
For the where command without using parentheses, the order of processing logical expressions is:
source wineventlog-*
| where event.code=="4768" AND event.outcome=="success" OR event.action=="logged-in"
| table event.code, event.outcome, event.action
Processing order (use the table above):
(4)event.code=="4768" AND (3) event.outcome=="success" OR (3) event.action=="logged-in"
Using the NOT operator and parenthetical expressions
In the example, we are looking for all events that:
- hostname = "JM-PCA-008" and event code is not equal to "4625"
- OR events code = "4624"
source wineventlog-*
| search host.name.keyword="JM-PCA-008" AND NOT event.code="4625" OR event.code="4624"
| table event.code, event.action, event.outcome, host.name
