# Search Filter Operators

## Supported operators

<table data-full-width="false"><thead><tr><th width="164">Operator</th><th width="322">Usage guidelines</th><th width="148">Supported field types</th><th>Examples</th></tr></thead><tbody><tr><td>is / is not</td><td>Valid for a single value. Results include only events where the field matches/ does not match the value in the filter.</td><td>string, number</td><td>username is “root”</td></tr><tr><td>is empty / is not empty</td><td>Valid for an event where the field's value is not specified. The operator tests only for the absence of data.</td><td>string</td><td>errors_list is empty</td></tr><tr><td>is in list / is not in list</td><td>Valid for multiple values. Results include only events where the field matches/does not match an entry in the list of values in the filter.</td><td>string</td><td>username is in [ “root”, “admin” ]</td></tr><tr><td>has substring / does not have substring</td><td>Valid for a single value. Results include only events where the field contains/does not contain the value in the filter.</td><td>string</td><td>domain contains “.google.com”</td></tr><tr><td>like / is not like</td><td>Valid for a single value. Results include only events where the field matches the pattern specified in the filter.<br><br>Wildcards are supported in the pattern. An underscore (<code>_</code>) matches any single character. A percent sign (<code>%</code>) or asterisk (<code>*</code>) matches any sequence of zero or more characters.</td><td>string</td><td><p>role like “admin_”<br>role like "%admin%"</p><p>role like "admin*"</p></td></tr><tr><td>equals / does not equal</td><td>Valid for a single value. Results include only events where the field matches/does not match the value in the filter.</td><td>number</td><td>count = 100</td></tr><tr><td>is greater than</td><td>Valid for a single value. Results include only events where the field is greater than the value in the filter.</td><td>number</td><td>port > 1023</td></tr><tr><td>is less than</td><td>Valid for a single value. Results include only events where the field is less than the value in the filter.</td><td>number</td><td>port &#x3C; 1024</td></tr><tr><td>is greater than or equal to</td><td>Valid for a single value. Results include only events where the field is greater than or equal to the value in the filter.</td><td>number</td><td>count ≥ 1</td></tr><tr><td>is less than or equal to</td><td>Valid for a single value. Results include only events where the field is less than or equal to the value in the filter.</td><td>number</td><td>count ≤ 100</td></tr><tr><td>has / does not have</td><td>Valid for events that contain a specific single value. Results include only events that contain/do not contain the value in the filter.</td><td>array</td><td>domain has "google.com"<br><br><em>where domain is an array of values</em></td></tr><tr><td>has any / does not have any</td><td>Valid for events that contain any one of an array of values. Results include only events that contain/do not contain any of the values in the array.</td><td>array</td><td>domain has any "google.com", "yahoo.com"<br><br><em>where domain is an array of values</em></td></tr><tr><td>is true / is false</td><td>Valid for a single boolean value. Results include events where the boolean field is true or false.</td><td>boolean</td><td>success is true</td></tr><tr><td>is after</td><td>Valid for a single time value. Results include events that occurred after the specified time value.</td><td>time</td><td>timestamp is after <code>01/19/2023 2:48 PM UTC</code></td></tr><tr><td>is before</td><td>Valid for a single time value. Results include events that occurred before the specified time value.</td><td>time</td><td>timestamp is before <code>01/19/2023 2:48 PM UTC</code></td></tr><tr><td>is null / is not null</td><td>Valid for an event where the field's value is null. The operator tests for a null value.</td><td>universal</td><td>errorCode is null</td></tr><tr><td>contains / does not contain</td><td>Valid for events that include objects that contain/do not contain fields with values that match the value in the filter. The provided key in the filter can be top level or can use dot notation to indicate a nested path.</td><td>object</td><td>actor contains username<br>actor.attributes does not contain Admin<br><br><em>where actor is a nested object</em></td></tr><tr><td>is within CIDR</td><td>Valid if a value is within a provided <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">CIDR</a> range</td><td>string</td><td>ip is within CIDR 10.2.3.0/24</td></tr></tbody></table>

## Supported field types

<table><thead><tr><th width="153">Field types</th><th>Description</th></tr></thead><tbody><tr><td><code>string</code></td><td>A string value</td></tr><tr><td><code>number</code></td><td>A 32-bit integer number or 64-bit floating point number</td></tr><tr><td><code>boolean</code></td><td>A boolean value <code>true</code> / <code>false</code></td></tr><tr><td><code>array</code></td><td>A JSON array where each element is of the same type</td></tr><tr><td><code>time</code></td><td>A valid timestamp</td></tr><tr><td><code>object</code></td><td>A JSON object</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/search/search-tool/filter-operators.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.