Expressions
Expressions can be used to express how to compute a value in situations such as:
- in a condition
- in a grouping definition
- in field assignment
[ ( + | - ) ] <double> [ ( + | - ) ] <long> "<String>" { ( d | t | ts ) yyyy-MM-dd hh:mm:ss } True False Null <IPv4 address> <IPv6 address> <key identifier> $<identifier>(<expression>) ( <expression> ) <expression> * <expression> <expression> / <expression> <expression> % <expression> <expression> + <expression> <expression> - <expression> <expression> Is [ Not ] Null Exists <expression> <expression> [ Not ] Like <expression> <expression> [ Not ] [ Any | All ] Contains <expression> <expression> [ Not ] [ Any | All ] Regexp <expression> <expression> [ Any | All ] = <expression> <expression> [ Any | All ] != <expression> <expression> [ Any | All ] > <expression> <expression> [ Any | All ] >= <expression> <expression> [ Any | All ] <= <expression> <expression> [ Any | All ] < <expression> <expression> [ Any | All ] <> <expression> <expression> [ Any | All ] In ( <expression>, expression, … ) <expression> In <expression>/<expression> <expression> [ Any | All ] Between <expression> And <expression> Case <expression> ( When <expression> Then <expression ) + [ Else <expression> ] <function name> ( [ <expression> ] , [ <expression> ] , … ) <aggregation function>
The following operators are supported:
- Equals (=)
- Not equals (!=), (<>)
- Lower than (<)
- Lower or equal (<=)
- Greater than (>)
- Greater or equal (>=)
- In:
- Between <expression> And <expression>: Supports Timestamps, Long, Integers and Float
- AND, OR
Examples:
( sys_eventType = “1234”) and ( sys_body like “%login failed%”) ( sys_bodySize > 30) and (sys_bodySize < 20) ( ll_eventID is not null) and ( ll_eventID > -1 )
- Predefined ECL Functions
- Aggregation Functions
- Identifier Environment
Copyright © 2020. Cloud Software Group, Inc. All Rights Reserved.