Version: 3.2

Boolean Expressions

Smart Monitor Languqage (SML) supports the boolean logical operators AND, OR and NOT.

operator	Purpose
`AND`	Combining multiple search conditions
`OR`	Linking multiple search conditions
`NOT`	Inverting search

tip

In Smart Monitor, a direct search is typically more efficient than a negated search. The reason is that a negated search must scan all events to subsequently exclude them.

Execution order

In Smart Monitor, the order in which Boolean expressions are executed depends on whether the expression is used with a search command or a where command.

Order of execution of Boolean expressions:

Order	search command	where command
1	Expressions in parentheses "()"	Expressions in parentheses "()"
2	operator `NOT`	operator `NOT`
3	operator `AND`	operator `OR`
4	operator `OR`	operator `AND`

Examples

The following examples show how SML processes logical expressions.

Operator order in search and where commands

For the search command without using parentheses, the order of processing logical expressions is:

Search query:

source winlog_auth
| search event.code="4768" AND event.outcome="success" OR event.action="logged-in"
| table event.code, event.outcome, event.action

The order of processing according to the table:

(3) event.code="4768" AND (3) event.outcome="success" OR (4) event.action="logged-in"

Boolean expression example search

For the where command without using parentheses, the order of processing logical expressions is:

Search query:

source winlog_auth
| where event.code=="4768" AND event.outcome=="success" OR event.action=="logged-in"
| table event.code, event.outcome, event.action

The order of processing according to the table:

(4) event.code="4768" AND (3) event.outcome="success" OR (3) event.action="logged-in"

Boolean expression example where

Using the NOT operator and parenthetical expressions

source winlog_auth
| search host.name="mail" AND NOT event.code="4625" OR event.code="4624"
| table event.code, event.action, event.outcome

Example

In this query:

we include in the results all events where the host name equals mail and the code is not equal to 4625
or we select events with code 4624

And this one too: If we group the expressions connected by OR in parentheses, the following result will be obtained:

source winlog_auth
| search host.name="mail" AND NOT (event.code="4625" OR event.code="4624")
| table event.code, event.action, event.outcome

Boolean expression example not

Execution order​

Examples​

Operator order in search and where commands​

Using the NOT operator and parenthetical expressions​

Execution order

Examples

Operator order in search and where commands

Using the NOT operator and parenthetical expressions