Comparison Operators
Smart Monitor extracts key-value pairs when processing data and stores them as event fields. Some fields are present in all events, others are not. Using fields in search queries allows you to more accurately find the events you need. For example, if you want to find logout events in Windows logs, instead of looking for event logged-out 4647 values, you would use fields for a more specific query:
event.code=4647
Using Comparison Operators to Find Values
Comparison operators allow you to search for events where field values match a condition. Exact matches or ranges of values are used.
| Operator | Example | Result |
|---|---|---|
= | field=value | The value of the field field is equal to the value of value. |
!= | field!=value | The value of the field field is not equal to the value of value. |
< | field<value | The numeric value of the field field is less than the numeric value of value. |
> | field>value | The numeric value of the field field is greater than the numeric value of value. |
<= | field=value | The numeric value of the field field is less than or equal to the numeric value value. |
>= | field=value | The numeric value of the field field is greater than or equal to the numeric value value. |
For example, to find events whose count field is greater than 10:
count > 10
Using Quotation Marks
When searching for values that may contain special characters, you should enclose them in double quotation marks (").
Examples of special characters include spaces, commas, pipe symbols (|), square brackets, and comparison operators. Double quotes should also be used when searching for keywords such as AND, OR, and NOT.
Using quotes
When searching for data in Smart Monitor, there may be field values that coincide with operators and keywords of the Smart Monitor Language (SML) query language, such as AS, AND, IN, and OR.
country="IN"to find the country Indiaapp="AS"to find the application with the abbreviation "Autonomous System"iso="AND"to find the country code Andorrametric="OR"to find the metric with the abbreviation "Owner's Risk"
To search specifically by the field value and not by the operator, it is necessary to enclose that value in double quotes ("):
country="IN"