Links

Query Builder Filter Operators

Supported operators for Panther's Query Builder

Supported Operators

Operation
Usage guidelines
Supported field types
Examples
is / is not
Valid for a single value. Results include only events where the field matches/ does not match the value in the filter.
string, number
username is “root”
is empty / is not empty
Valid for an event where the field's value is not specified. The operator tests only for the absence of data.
string
errors_list is empty
is in list / is not in list
Valid for multiple values. Results include only events where the field matches/does not match an entry in the list of values in the filter.
string
username is in [ “root”, “admin” ]
has substring / does not have substring
Valid for a single value. Results include only events where the field contains/does not contain the value in the filter.
string
domain contains “.google.com”
like / is not like
Valid for a single value. Results include only events where the field matches the pattern specified in the filter. Wildcards are supported in the pattern.
string
role like “admin_” role like "%admin%"
An underscore (_) matches any single character.
A percent sign (%) matches any sequence of zero or more characters.
equals / does not equal
Valid for a single value. Results include only events where the field matches/does not match the value in the filter.
number
count = 100
is greater than
Valid for a single value. Results include only events where the field is greater than the value in the filter.
number
port > 1023
is less than
Valid for a single value. Results include only events where the field is less than the value in the filter.
number
port < 1024
is greater than or equal to
Valid for a single value. Results include only events where the field is greater than or equal to the value in the filter.
number
count ≥ 1
is less than or equal to
Valid for a single value. Results include only events where the field is less than or equal to the value in the filter.
number
count ≤ 100
has / does not have
Valid for events that contain a specific single value. Results include only events that contain/do not contain the value in the filter.
array
domain has "google.com" where domain is an array of values
is true / is false
Valid for a single boolean value. Results include events where the boolean field is true or false.
boolean
success is true
is after
Valid for a single time value. Results include events that occurred after the specified time value.
time
timestamp is after 01/19/2023 2:48 PM UTC
is before
Valid for a single time value. Results include events that occurred before the specified time value.
time
timestamp is before 01/19/2023 2:48 PM UTC
is null / is not null
Valid for an event where the field's value is null. The operator tests for a null value.
universal
errorCode is null

Supported Field Types

Field types
Description
string
A string value
number
A 32-bit integer number or 64-bit floating point number
boolean
A boolean value true / false
array
A JSON array where each element is of the same type
time
A valid timestamp