# Query Builder Filter Operators

## Supported Operators

<table><thead><tr><th width="154">Operation</th><th>Usage guidelines</th><th width="210">Supported field types</th><th>Examples</th></tr></thead><tbody><tr><td>is / is not</td><td>Valid for a single value. Results include only events where the field matches/ does not match the value in the filter.</td><td>string, number</td><td>username is “root”</td></tr><tr><td>is empty / is not empty</td><td>Valid for an event where the field's value is not specified. The operator tests only for the absence of data.</td><td>string</td><td>errors_list is empty</td></tr><tr><td>is in list / is not in list</td><td>Valid for multiple values. Results include only events where the field matches/does not match an entry in the list of values in the filter.</td><td>string</td><td>username is in [ “root”, “admin” ]</td></tr><tr><td>has substring / does not have substring</td><td>Valid for a single value. Results include only events where the field contains/does not contain the value in the filter.</td><td>string</td><td>domain contains “.google.com”</td></tr><tr><td>like / is not like </td><td>Valid for a single value. Results include only events where the field matches the pattern specified in the filter.<br><br>Wildcards are supported in the pattern. </td><td>string</td><td><p>role like “admin_”<br>role like "%admin%"</p><p>role like "admin*"<br></p><p><em>An underscore (<code>_</code>) matches any single character.</em></p><p><em>A percent sign (<code>%</code>) or asterisk (<code>*</code>) matches any sequence of zero or more characters.</em></p></td></tr><tr><td>equals / does not equal</td><td>Valid for a single value. Results include only events where the field matches/does not match the value in the filter.</td><td>number</td><td>count = 100</td></tr><tr><td>is greater than</td><td>Valid for a single value. Results include only events where the field is greater than the value in the filter.</td><td>number</td><td>port > 1023</td></tr><tr><td>is less than</td><td>Valid for a single value. Results include only events where the field is less than the value in the filter.</td><td>number</td><td>port &#x3C; 1024</td></tr><tr><td>is greater than or equal to</td><td>Valid for a single value. Results include only events where the field is greater than or equal to the value in the filter.</td><td>number</td><td>count ≥ 1</td></tr><tr><td>is less than or equal to</td><td>Valid for a single value. Results include only events where the field is less than or equal to the value in the filter.</td><td>number</td><td>count ≤ 100</td></tr><tr><td>has / does not have</td><td>Valid for events that contain a specific single value. Results include only events that contain/do not contain the value in the filter.</td><td>array</td><td>domain has "google.com"<br><br><em>where domain is an array of values</em></td></tr><tr><td>is true / is false</td><td>Valid for a single boolean value. Results include events where the boolean field is true or false.</td><td>boolean</td><td>success is true</td></tr><tr><td>is after</td><td>Valid for a single time value. Results include events that occurred after the specified time value.</td><td>time</td><td>timestamp is after <code>01/19/2023 2:48 PM UTC</code></td></tr><tr><td>is before</td><td>Valid for a single time value. Results include events that occurred before the specified time value.</td><td>time</td><td>timestamp is before <code>01/19/2023 2:48 PM UTC</code></td></tr><tr><td>is null / is not null</td><td>Valid for an event where the field's value is null. The operator tests for a null value.</td><td>universal</td><td>errorCode is null</td></tr></tbody></table>

## Supported Field Types

<table><thead><tr><th width="153">Field types</th><th>Description</th></tr></thead><tbody><tr><td><code>string</code></td><td>A string value</td></tr><tr><td><code>number</code></td><td>A 32-bit integer number or 64-bit floating point number</td></tr><tr><td><code>boolean</code></td><td>A boolean value <code>true</code> / <code>false</code></td></tr><tr><td><code>array</code></td><td>A JSON array where each element is of the same type</td></tr><tr><td><code>time</code></td><td>A valid timestamp</td></tr></tbody></table>