NQL comparison operators
Use comparison operators with NQL where clause to filter your NQL query results.
== or =
Equals
string
int
float
Boolean
date time
enumeration
duration
IP address
version
| where user.name = "jdoe@kanopy"
| where user.name == "jdoe@kanopy"
!=
Not equals
string
int
float
Boolean
date time
enumeration
duration
IP address
version
| where hardware_manufacturer != "VMWare"
| where hardware_manufacturer != null
>
Greater than
int
float
duration
byte
IP address
version
| where hardware.memory > 8GB
<
Less than
int
float
duration
byte
IP address
version
| where hardware.memory < 16GB
>=
Greater or equal
int
float
date time
duration
byte
IP address
version
| where hardware.memory >= 8GB
<=
Less or equal
int
float
date time
duration
byte
IP address
version
| where hardware.memory <= 16GB
Refer to NQL data types for more information about supported
All expressions used in combination with these operators are case-insensitive. For example, the following queries return the same results:
devices during past 24h
| where name == "CORPSYS2022"devices during past 24h
| where name == "CoRpSyS2022"Using wildcards
Use wildcards to match partial values and increase filter flexibility. Expressions used in combination with comparison operators support the following wildcard characters.
*
Replaces any number of characters
| where application.name = "Microsoft*"
Returns application names starting with "Microsoft"
| where application.name = "*Microsoft*"
Returns application names containing "Microsoft"
?
Replaces any single character
| where device.operating_system.name == "Windows 1?"
Returns operating system names with versions above 10, such as Windows 10 and Windows 11.
...
Last updated
Was this helpful?