<expression> | ::= | <term1> [ OR <expression> ] |
<term1> | ::= | <term2> [ AND <term1> ] |
<term2> | ::= | <field_expr> <rel_op> <field_expr> <field_expr> [ NOT ] LIKE <like_mask> <field_expr> [ NOT ] BETWEEN <field_expr> AND <field_expr> <field_expr> IS [ NOT ] NULL <field_expr> [ NOT ] IN ( <value_rows> ) <field_expr> <rel_op> [ ALL | ANY ] ( <value_rows> ) ( <field_expr_list> ) [ NOT ] IN ( <value_rows> ) ( <field_expr_list> ) <rel_op> [ ALL | ANY ] ( <value_rows> ) NOT <term2> ( <expression> ) |
<field_expr_list> | ::= | <field_expr> [ , <field_expr> ... ] |
<rel_op> | ::= | < > <> = <= >= |
<value_rows> | ::= | <value_row> [ ; <value_row> ... ] |
<value_row> | ::= | <value> [ , <value> ... ] |
An expression is used in the WHERE and HAVING clauses to specify conditions that must be satisfied for input records or group records to be output.
<rel_op>
Standard comparison operators (less than, greather than, etc.).[ NOT ] LIKE
Indicates that the subsequent character string is to be used with pattern matching. For more information, see LIKE.[ NOT ] BETWEEN
Specifies an inclusive range of values. Use AND to separate the beginning and ending values. For more information, see BETWEEN.IS [ NOT ] NULL
The IS NULL and IS NOT NULL operators determine whether or not a given field-expression is NULL.[ NOT ] IN
The IN and NOT IN operators determine whether or not a given field-expression or list of field-expressions matches any element in a list of values. For more information, see IN.ALL
Used with a comparison operator and a list of values. Returns TRUE if all values in the list satisfy the comparison operation, or FALSE if not all values satisfy the comparison. If no ALL nor ANY is specified, then ANY is assumed by default. For more information, see ALL.ANY
Used with a comparison operator and a list of values. Returns TRUE if any value in the list satisfies the comparison operation, or FALSE if no values satisfy the comparison. If no ALL nor ANY is specified, then ANY is assumed by default. For more information, see ANY.
A. Simple expression
sc-bytes >= 1000B. Complex expression
EXTRACT_TOKEN(Strings, 1, '|') LIKE '%logon&' AND ( TimeGenerated > SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP( '10', 'mm' ) ) OR SID IS NOT NULL )
© 2004 Microsoft Corporation. All rights reserved.