Expressions
<expression> | ::= | <term1> [ OR <expression> ] |
<term1> | ::= | <term2> [ AND <term1> ] |
<term2> | ::= |
<field_expr> <rel_op> <field_expr> <field_expr> [ NOT ] LIKE <like_mask> <field_expr> [ NOT ] BETWEEN <field_expr> AND <field_expr> <field_expr> IS [ NOT ] NULL <field_expr> [ NOT ] IN ( <value_rows> ) <field_expr> <rel_op> [ ALL | ANY ] ( <value_rows> ) ( <field_expr_list> ) [ NOT ] IN ( <value_rows> ) ( <field_expr_list> ) <rel_op> [ ALL | ANY ] ( <value_rows> ) NOT <term2> ( <expression> ) |
<field_expr_list> | ::= | <field_expr> [ , <field_expr> ... ] |
<rel_op> | ::= |
< > <> = <= >= |
<value_rows> | ::= | <value_row> [ ; <value_row> ... ] |
<value_row> | ::= | <value> [ , <value> ... ] |
An expression is used in the WHERE and HAVING clauses to specify conditions that must be satisfied for input records or group records to be output.
Operators:
<rel_op>
Standard comparison operators (less than, greather than, etc.).
[ NOT ] LIKE
Indicates that the subsequent character string is to be used with pattern matching. For more information, see LIKE.
[ NOT ] BETWEEN
Specifies an inclusive range of values. Use AND to separate the beginning and ending values. For more information, see BETWEEN.
IS [ NOT ] NULL
The IS NULL and IS NOT NULL operators determine whether or not a given field-expression is NULL.
[ NOT ] IN
The IN and NOT IN operators determine whether or not a given field-expression or list of field-expressions matches any element in a list of values. For more information, see IN.
ALL
Used with a comparison operator and a list of values. Returns TRUE if all values in the list satisfy the comparison operation, or FALSE if not all values satisfy the comparison. If no ALL nor ANY is specified, then ANY is assumed by default. For more information, see ALL.
ANY
Used with a comparison operator and a list of values. Returns TRUE if any value in the list satisfies the comparison operation, or FALSE if no values satisfy the comparison. If no ALL nor ANY is specified, then ANY is assumed by default. For more information, see ANY.
Remarks:
- The expression in a WHERE clause can not reference SQL (aggregate) functions. To specify conditions on values of aggregate functions, use the HAVING clause.
- There is no limit to the number of operators that can be included in an expression.
- The order of precedence for the logical operators is NOT (highest), followed by AND, followed by OR. The order of evaluation at the same precedence level is from left to right. Parentheses can be used to override this order in an expression.
Examples:
A. Simple expression
sc-bytes >= 1000B. Complex expression
EXTRACT_TOKEN(Strings, 1, '|') LIKE '%logon&' AND ( TimeGenerated > SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP( '10', 'mm' ) ) OR SID IS NOT NULL )
See also:
ALLANY
BETWEEN
IN
LIKE
Constant Values
Field Expressions
HAVING
WHERE