More Operators can be found
here
| Boolean Operators | Example | Result |
|---|
| AND | Mac AND Client | Will output any result with both 'Mac' and 'Client' |
| OR | Mac OR Client | Will output any result with 'Mac' or 'Client' |
| NOT | vpn NOT ssl | Will output any 'vpn' result that does not contain 'ssl' |
| NEAR:n | ssl NEAR:2 vpn | Will output any results where ssl and vpn are no more then 2 terms apart. |
| Date/Time Operators | Example | Result |
|---|
| now | @date<=now-12h | Finds items created or modified at least 12 hours ago. |
| today | @date=today | Finds items created or modified today. |
| yesterday | @date=yesterday | Finds items created or modified yesterday |
| Comparison Operators | Example | Result |
|---|
| = Contains | @title=ipsec | Finds items containing ipsec in their titles |
| == Is Exactly | @title=="ipsec" | Finds items containing ipsec in their titles |
| <> Excludes | @title<>"ipsec" | Finds items that do not contain ipsec in their titles |
| < Smaller Than | @date<today | Finds items created or modified before today. |
| > Greater Than | @date>yesterday | Finds items created or modified today |
| <= Smaller Than or Equal to | @date<=yesterday | Finds items created or modified before today |
| >= Greater Than or Equal to | @date>=yesterday | Finds items modified or created yesterday or today |
| Mathematical Operators | Example | Result |
|---|
| .. Value Range | @date=(2023/01/01..2023/01/31) | Finds items modified between Jan 1 2023 and Jan 31 2023 |
| + Plus | @date<yesterday+1d | Finds items that were created or modified yesterday or today. |
| - Minus | @date=yesterday-1mo | Finds items that were created or modified during one day exactly one month ago. |
| Wildcard Operators | Example | Result |
|---|
| - (Minus, Hyphen, or Dash Character) | report -technical | Finds items that contain report but don’t contain technical. |
| @field=( , ) (Parentheses and Comma With Field Queries) | @title=("one exact phrase","another exacter phrase") | Finds items that contain "one exact phrase" or "another exact phrase" |
| $ (Dollar Character) | report $sort(criteria: 'datedescending') | Finds items that contain report, and sorts them by date in descending order. |
| ( ) (Parentheses Grouping With Operators) | Liz (project NEAR:5 presentation) | Finds items containing the three keywords but where keywords project and presentation are no more than five terms apart. |