The Cribl Operator
Let's take a look at what will no doubt become the lightsaber to a data jedi such as yourself, the cribl operator. Padawan, if you recall from our previous lesson in understanding The Force Cribl Search Overview, the cribl operator retrieves and filters events from datasets and is implicit and does not need to be specified in the query.
Wildcards * represent zero or more characters and can be used in StringExpressions.
Syntax
[cribl] StringExpression ComparisonExpression [ BooleanOperator ] [ StringExpression | ComparisonExpression ]
Boolean Logic
The cribl operator leverages boolean logic.
The Boolean Operators are or, and, not (in that order of precedence).
Boolean Operators are used between ComparisonExpressions and / or StringExpressions.
If no Boolean Operator is provided, then and is implied.
Combining either expressions along with parentheses and wildcards gives you the ability to filter the data any way you see fit.
Comparison Expressions
ComparisonExpressions compare numbers or strings and perform evaluations. Expressions that evaluate to true are returned as results. ComparisonExpressions follow the syntax of:
field name(case sensitive) + comparison operator + value.
Example:
dataSource="vpcflowlogs"
Comparison operators: =, ==, !=, !==, >, >=, <, <=
| Operator | Description | Examples Returning True |
|---|---|---|
Equal = or == | Returns true if the operands are equal. | 3 == var1 "3" == var1 3 == '3' |
Not equal != | Returns true if the operands are not equal. | var1 != 4 var2 != "3" |
Strict not equal !== | Returns true if the operands are of the same type but not equal, or are of different type. | var1 !== "3" 3 !== '3' |
Greater than > | Returns true if the left operand is greater than the right operand. | var2 > var1 "12" > 2 |
Greater than or equal >= | Returns true if the left operand is greater than or equal to the right operand. | var2 >= var1 var1 >= 3 |
Less than < | Returns true if the left operand is less than the right operand. | var1 < var2 "2" < 12 |
Less than or equal <= | Returns true if the left operand is less than or equal to the right operand. | var1 <= var2 var2 <= 5 |