Expressions

<expression> ::= <term1> [ OR <expression> ]
<term1> ::= <term2> [ AND <term1> ]
<term2> ::= <field_expr> <rel_op> <field_expr>
<field_expr> [ NOT ] LIKE <like_mask>
<field_expr> [ NOT ] BETWEEN <field_expr> AND <field_expr>
<field_expr> IS [ NOT ] NULL
<field_expr> [ NOT ] IN ( <value_rows> )
<field_expr> <rel_op> [ ALL | ANY ] ( <value_rows> )
( <field_expr_list> ) [ NOT ] IN ( <value_rows> )
( <field_expr_list> ) <rel_op> [ ALL | ANY ] ( <value_rows> )
NOT <term2>
( <expression> )
<field_expr_list> ::= <field_expr> [ , <field_expr> ... ]
<rel_op> ::= <
>
<>
=
<=
>=
<value_rows> ::= <value_row> [ ; <value_row> ... ]
<value_row> ::= <value> [ , <value> ... ]

An expression is used in the WHERE and HAVING clauses to specify conditions that must be satisfied for input records or group records to be output.


Operators:

<rel_op>

Standard comparison operators (less than, greather than, etc.).

[ NOT ] LIKE

Indicates that the subsequent character string is to be used with pattern matching. For more information, see LIKE.

[ NOT ] BETWEEN

Specifies an inclusive range of values. Use AND to separate the beginning and ending values. For more information, see BETWEEN.

IS [ NOT ] NULL

The IS NULL and IS NOT NULL operators determine whether or not a given field-expression is NULL.

[ NOT ] IN

The IN and NOT IN operators determine whether or not a given field-expression or list of field-expressions matches any element in a list of values. For more information, see IN.

ALL

Used with a comparison operator and a list of values. Returns TRUE if all values in the list satisfy the comparison operation, or FALSE if not all values satisfy the comparison. If no ALL nor ANY is specified, then ANY is assumed by default. For more information, see ALL.

ANY

Used with a comparison operator and a list of values. Returns TRUE if any value in the list satisfies the comparison operation, or FALSE if no values satisfy the comparison. If no ALL nor ANY is specified, then ANY is assumed by default. For more information, see ANY.

Remarks:


Examples:

A. Simple expression

sc-bytes >= 1000

B. Complex expression

EXTRACT_TOKEN(Strings, 1, '|') LIKE '%logon&' AND
(   TimeGenerated > SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP( '10', 'mm' ) )  OR
	SID IS NOT NULL
)

See also:

ALL
ANY
BETWEEN
IN
LIKE

Constant Values
Field Expressions
HAVING
WHERE

© 2004 Microsoft Corporation. All rights reserved.