Document toolboxDocument toolbox

And (and)

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 11, 2023 by Sarah Bigault (Deactivated)
3 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

You can apply this operation either as a Filter or Create field operation:

Filter

Retrieves those events where all the given Boolean field values are true.

Create field

Creates a Boolean field that returns true only if all the given arguments are true.

How does it work in the search window?

Select Filter / Create field in the search window toolbar, then select the And operation. This operation requires at least two Operand arguments, but you can add more as needed. 

Argument

Data type

Argument

Data type

Operand mandatory

boolean

Operand mandatory

boolean

If you use the Create field operation, the data type of the values in the new field is boolean (true or false).

Example

In the siem.logtrust.web.activity table, we want to display only those events where the response time is greater than 5 and the content length is greater than 200. To do it, we will apply a Filter using the And operation, but first, we need to create the required Boolean fields.

Step 1: Create the dedicated fields with Boolean values

We need two new fields. One for the first condition (contentLength>200), and one for the second condition (contentLength>200). Here is how we define these fields, using the Greater than (gt, >) operation.

Once created, we will have two Boolean fields containing a true or false value for each row.

Step 2: Apply the filter using the And operation

Select Filter on the query toolbar, then select And as the operator. Now select the fields that you created as arguments:  

  • Operand - responseTime>5 field

  • Operand - contentLength>200 field

Click Filter data. The table displays only those rows where both the responseTime>5 and contentLength>1000 values are true. 

Click Create field and follow the same steps to add a new Boolean field that shows true only when both the responseTime>5 and contentLength>1000 values are true.

How does it work in LINQ?

Use the operator where...  to apply the Filter operation and select... as...  to apply the Create field operation. This is the syntax for the And operation:

  • boolean1 and boolean2 and ...

Examples

You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table:

from siem.logtrust.web.activity select responseTime > 5 as `reponseTime>5`, contentLength > 1000 as `contentLength>1000` where `responseTime>5` and `contentLength>1000`

And this is the same example using the Create field operation:

from siem.logtrust.web.activity select responseTime > 5 as `reponseTime>5`, contentLength > 1000 as `contentLength>1000` `reponseTime>5` and `contentLength>1000` as `time>5&content>1000`