Version: 5.3

Boolean Expressions

Smart Monitor Languqage (SML) supports the boolean logical operators AND, OR and NOT.

operator	Purpose
`AND`	Combining multiple search conditions
`OR`	Linking multiple search conditions
`NOT`	Inverting search

tip

In SML searching using the AND and OR operators is usually more efficient than searching with Not. Because Not search looks at all events to further exclude them.

Execution order

In SM, the order in which Boolean expressions are executed depends on whether the expression is used with a search command or a where command.

Order of execution of Boolean expressions:

Order	search command	where command
1	Expressions in parentheses "()"	Expressions in parentheses "()"
2	operator `NOT`	operator `NOT`
3	operator `AND`	operator `OR`
4	operator `OR`	operator `AND`

Examples

The following examples show how SML processes logical expressions.

Operator order in search and where commands

For the search command without using parentheses, the order of processing logical expressions is:

Search query
source winlog_auth*
| search event.code="4768" AND event.outcome="success" OR event.action="logged-in"
| table event.code, event.outcome, event.action

The order of processing according to the table
(3) event.code="4768" AND (3) event.outcome="success" OR (4) event.action="logged-in"

Boolean expression example search

For the where command without using parentheses, the order of processing logical expressions is:

Search query
source winlog_auth*
| where event.code=="4768" AND event.outcome=="success" OR event.action=="logged-in"
| table event.code, event.outcome, event.action

The order of processing according to the table
(4) event.code="4768" AND (3) event.outcome="success" OR (3) event.action="logged-in"

Boolean expression example where

Using the NOT operator and parenthetical expressions

Search query
source winlog_auth*
| search host.name="mail" AND NOT event.code="4625" OR event.code="4624"
| table event.code, event.action, event.outcome

Example

In this query:

we include in the results all events where the host name equals mail and the code is not equal to 4625
or we select events with code 4624

And this one too: If we group the expressions connected by OR in parentheses, the following result will be obtained:

Example
source winlog_auth*
| search host.name="mail" AND NOT (event.code="4625" OR event.code="4624")
| table event.code, event.action, event.outcome

Boolean expression example not

Execution order​

Examples​

Operator order in search and where commands​

Using the NOT operator and parenthetical expressions​

Execution order

Examples

Operator order in search and where commands

Using the NOT operator and parenthetical expressions