Predicate expressions

A predicate is an expression that consists of operators or keywords that specify a relationship between two expressions. A predicate expression, when evaluated, returns either TRUE or FALSE.

Think of a predicate expression as an equation. The result of that equation is a Boolean.

You can use predicate expressions in the search and where commands. See the search and where commands in the Search Reference.

Filtering with predicates

Predicates are often used to filter data or specify a condition to reduce the number of search results.

The following predicate expression uses the in function to filter the results in the status field. 

... | where status in("400", "401", "403", "404")

Types of predicate operators

The following table describes the types of predicate operators that you can use in expressions:

Predicate operator type Description Examples
Relational operators Relational operators use symbols to check for equality, inequality, or relative order between two expressions. Examples of relational operators are equal to ( = ) and is greater than ( > ). 
clientip = "192.0.2.0"
count > 15
Logical operators An operator that performs a comparison between two expression. The supported logical operators are: AND, OR, NOT, and XOR. 
A=1 AND ( B=2 OR C=3 )
error NOT (403 OR 404)
Conditional and pattern-matching operators A predicate expression that uses a keyword operator to test for a condition or match a pattern. Conditional and pattern matching operators include: 
status IN (401, 403, 404)
Boolean functions A function that returns a Boolean. Evaluation functions, such as in, isnum, like, and match are examples of functions that return TRUE. See

Evaluation functions in the Search Reference. 

... | where status in("400", "401", "403", "404")
isnotnull(client_ip)
...| where like(ipaddress, "198.%")

Relational operators

The relational operators are symbols that compare one expression with another expression. Relational operators evaluate whether the expressions are equal to, not equal to, greater than or less than on another,

The supported operators are:

  • equals ( = ) or ( == )
  • does not equal ( != )
  • is greater than ( > )
  • is greater than or equal to ( >= )
  • is less than ( < )
  • is less than or equal to ( <= )

Logical operators

The logical operators compare one expression with another expression.

Syntax

The syntax for using logical operators is:

<expression> <logical-operator> <expression>

The supported operators are describe in the following table:

Operator Description
AND Both expressions must evaluate to TRUE.

The AND operator is always implied between terms, that is: web error is the same as web AND error. So unless you want to include it for clarity reasons, you should not need to specify the AND operator.

OR One of the expressions must evaluate to TRUE.
NOT The expressions cannot be equal to one another.

The NOT operator only applies to the term immediately following NOT. To apply to multiple terms, you must enclose the terms in parenthesis.

XOR An exclusive OR. One and only one of the expressions must evaluate to TRUE.
Note: Inclusion is generally better than exclusion. Searching for "access denied" will yield faster results than NOT "access granted".

Order of evaluation

The order in which the Splunk software evaluates predicate expressions depends on whether you are using the expression in the eval command, the where command, or the search command.

The following table describes the order in which the logical expressions are evaluated.

Order Search command Eval or where commands
1 Expressions inside parentheses Expressions inside parentheses
2 NOT operators NOT operators
3 OR operators AND operators
4 AND operators OR operators
5 The search command does not support the XOR operator.XOR operators

Examples

The following examples show how Splunk software processes Boolean expressions.

Consider the following search: 

A=1 AND B=2 OR C=3

This is the same as specifying A=1 B=2 OR C=3

When you specify values without parenthesis, this search is processed as: 

A=1 AND ( B=2 OR C=3 )

To force the search to process the values in a specific order, use parenthesis: 

(A=1 AND B=2 ) OR C=3

Here is another example: 

error NOT 403 OR 404

Without parenthesis, this search is processed as:

  • Search for any event that contains the string "error" and does not contain the keyword 403
  • Search for any event that contains the string "error" and 404

You can use parentheses to group Boolean expressions. For example: 

error NOT (403 OR 404)

You can use time modifiers in the expressions with logical operators: 

...WHERE earliest=-5m@m AND latest=@m

For more information about using time modifiers, see Time modifiers in the Search Reference.

IN operator

The IN operator matches the values in a field to any of the items in the <expression-list>. The items in the <expression-list> must be a comma-separated list.

The in function is similar to the IN operator. See Comparison and conditional functions in the SPL2 Search Reference.

Syntax

The syntax for the IN operator is:

<field-expression> IN (<expression-list>)

You can also use the NOT operator with the IN operator. The syntax is:

<field-expression> NOT IN (<expression-list> )

Examples

code IN(10, 29)
status IN("400", "401", "403", "404")
status NOT IN("200", "202", "204")
| search status IN (401, 403)

See also

Related information