And (and)

Description

You can apply this operation either as a Filter or Create field operation:

How does it work in the search window?

Select Filter / Create field in the search window toolbar, then select the And operation. This operation requires at least two Operand arguments, but you can add more as needed. 

If you use the Create field operation, the data type of the values in the new field is boolean (true or false).

Example

In the siem.logtrust.web.activity table, we want to display only those events where the response time is greater than 5 and the content length is greater than 200. To do it, we will apply a Filter using the And operation, but first, we need to create the required Boolean fields.

Step 1: Create the dedicated fields with Boolean values

We need two new fields. One for the first condition (contentLength>200), and one for the second condition (contentLength>200). Here is how we define these fields, using the Greater than (gt, >) operation.

Open

Open

Once created, we will have two Boolean fields containing a true or false value for each row.

Step 2: Apply the filter using the And operation

Select Filter on the query toolbar, then select And as the operator. Now select the fields that you created as arguments:  

• Operand - responseTime>5 field

• Operand - contentLength>200 field

Click Filter data. The table displays only those rows where both the responseTime>5 and contentLength>1000 values are true. 

Click Create field and follow the same steps to add a new Boolean field that shows true only when both the responseTime>5 and contentLength>1000 values are true.

How does it work in LINQ?

Use the operator where...  to apply the Filter operation and select... as...  to apply the Create field operation. This is the syntax for the And operation:

• boolean1 and boolean2 and ...

Examples

You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table:

And this is the same example using the Create field operation: