Comparison Operators
SAF extracts key-value pairs when processing data and stores them as event fields. Some fields are present in all events, others are not. Using fields in search queries allows you to more accurately find the events you need. For example, if you want to find logout events in Windows logs, instead of looking for "event logged-out 4647" values, you would use fields for a more specific query:
event.code=4647
Using Comparison Operators to Find Values
Comparison operators allow you to search for events where field values match a condition. Exact matches or ranges of values are used.
| Оператор | Пример | Результат |
|---|---|---|
= | field=value | The value of the field field is equal to the value of value. |
!= | field!=value | The value of the field field is not equal to the value of value. |
< | field<value | The numeric value of the field field is less than the numeric value of value. |
> | field>value | The numeric value of the field field is greater than the numeric value of value. |
<= | field=value | The numeric value of the field field is less than or equal to the numeric value value. |
>= | field=value | The numeric value of the field field is greater than or equal to the numeric value value. |
For example, to find events whose count field is greater than 10:
count > 10
Using quotes
When searching for values that may contain special characters, you must enclose them in double quotes ("").
Examples of special characters include spaces, commas, pipes, square brackets, and comparison symbols. To search for keywords like AND, OR and NOT you should also use double quotes.
iso="AND"
country="IN"