AQL logical and comparison operators
Operators are used in AQL statements to determine any equality or difference between values. By using operators in the WHERE clause of an AQL statement, the results are filtered by those results that match the conditions in the WHERE clause.
The following table lists the supported logical and comparison operators.
Operator | Description | Example |
---|---|---|
* |
Multiplies two values and returns the result. |
|
= |
The equal to operator compares two values and returns true if they are equal. |
|
!= |
Compares two values and returns true if they are unequal. |
|
< AND <= |
Compares two values and returns true if the value on the left side is less than or equal to, the value on the right side. |
|
> AND >= |
Compares two values and returns true if the value on the left side is greater than or equal to the value on the right side. |
|
/ |
Divides two values and returns the result. |
|
+ |
Adds two values and returns the result. |
|
- |
Subtracts one value from another and returns the result. |
|
^ |
Takes a value and raises it to the specified power and returns the result. |
|
% |
Takes the modulo of a value and returns the result. |
|
AND |
Takes the left side and right side of a statement and returns true if both are true. |
|
BETWEEN (X,Y) |
Takes in a left side and two values and returns true if the left side is between the two values. |
|
COLLATE |
Parameter to order by that allows a BCP47 language tag to collate. |
|
IN |
Specifies multiple values in a WHERE clause. The IN operator is a shorthand for multiple OR conditions. |
|
INTO |
Creates a named cursor that contains results that can be queried at a different time. |
|
NOT |
Takes in a statement and returns true if the statement evaluates as false. |
|
ILIKE |
Matches if the string passed is LIKE the passed value and is not case sensitive. Use
% as a wildcard. |
|
IMATCHES |
Matches if the string matches the provided regular expression and is not case sensitive. |
|
LIMIT |
Limits the number of results to the provided number. |
Note: Place the LIMIT clause in front of a
START and STOP
clause. |
LIKE |
Matches if the string passed is LIKE the passed value but is case sensitive.
Use % as a wildcard. |
|
MATCHES |
Matches if the string matches the provided regular expression. |
|
NOT NULL |
Takes in a value and returns true if the value is not null. |
|
OR |
Takes the left side of a statement and the right side of a statement and returns true if either side is true. |
|
TEXT SEARCH |
Full-text search for the passed value. TEXT SEARCH is valid with Place TEXT SEARCH in the first position of the WHERE clause. You can also do full-text searches by using the Quick filter in the QRadar® user interface. For information about Quick filter functions, see the IBM® QRadar User Guide. |
|
Examples of logical and comparative operators
- To find events that are not parsed, type the following query:
SELECT * FROM events WHERE payload = 'false'
- To find events that return an offense and have a specific source IP address, type the following
query:
SELECT * FROM events WHERE sourceIP = '192.0.2.0' AND hasOffense = 'true'
- To find events that include the text "firewall", type the following query:
SELECT QIDNAME(qid) AS EventName, * FROM events WHERE TEXT SEARCH 'firewall'