Scalar Operators
Operators that compare, combine, and test values in expressions
Scalar operators evaluate to a single value. They form the boolean predicates used in where, the computed columns in extend and project, and any other place an expression is expected. Results combine with and, or, and not.
Comparison, arithmetic, and logical
| Operator | Description | Example |
|---|---|---|
== | Equal; strings compare case-sensitively | 1 == 1, "abc" == "abc" |
!= | Not equal | 1 != 2 |
=~ | Equal, case-insensitive (strings) | "aBc" =~ "AbC" |
!~ | Not equal, case-insensitive | "abc" !~ "xyz" |
< | Less than | 1 < 2 |
<= | Less than or equal | 1 <= 2 |
> | Greater than | 2 > 1 |
>= | Greater than or equal | 2 >= 1 |
+ | Add | 2 + 1, now() - 1h |
- | Subtract | 5 - 2 |
* | Multiply | 2 * 3 |
/ | Divide | 6 / 2 |
% | Modulo | 5 % 2 |
and | Logical and | (x > 0) and (y > 0) |
or | Logical or | (x > 0) or (y > 0) |
not(…) | Logical negation | not(isempty(name)) |
Membership and range
| Operator | Description | Example |
|---|---|---|
in | Value equals any item in the list | level in ("error", "warn") |
!in | Negation of in | level !in ("info", "debug") |
in~ | Case-insensitive in | level in~ ("Error", "Warn") |
!in~ | Negation of in~ | |
between | Value within an inclusive range | x between (1 .. 10) |
x in (v1, v2, …) is exactly equivalent to (x == v1) or (x == v2) or …; in~ uses case-insensitive equality. The list must be non-empty and all values must share a type — integers and reals form one numeric family, so x in (1, 2.5) is allowed, while a mixed list such as x in (1, "a") is an error. The value is compared by its native type, so membership on a dynamic field keeps bloom and shard pruning engaged with no cast.
String operators
String operators test strings using infix notation. Most have a case-sensitive variant (suffixed with _cs).
| Operator | Description | Case-Sensitive | Example |
|---|---|---|---|
contains | Indicate whether a string contains another string (case-insensitive). | No | "value" contains "test" |
!contains | Negation of contains | No | |
contains_cs | Indicate whether a string contains another string (case-sensitive). | Yes | "value" contains_cs "test" |
!contains_cs | Negation of contains_cs | Yes | |
endswith | Indicate whether a string ends with another string (case-insensitive). | No | "value" endswith "test" |
!endswith | Negation of endswith | No | |
endswith_cs | Indicate whether a string ends with another string (case-sensitive). | Yes | "value" endswith_cs "test" |
!endswith_cs | Negation of endswith_cs | Yes | |
has | Indicate whether a string contains a whole word (case-insensitive, word boundary matching). | No | "value" has "test" |
!has | Negation of has | No | |
has_cs | Indicate whether a string contains a whole word (case-sensitive, word boundary matching). | Yes | "value" has_cs "test" |
!has_cs | Negation of has_cs | Yes | |
hasprefix | Indicate whether a string starts with a word prefix (case-insensitive, word boundary matching). | No | "value" hasprefix "test" |
!hasprefix | Negation of hasprefix | No | |
hasprefix_cs | Indicate whether a string starts with a word prefix (case-sensitive, word boundary matching). | Yes | "value" hasprefix_cs "test" |
!hasprefix_cs | Negation of hasprefix_cs | Yes | |
hassuffix | Indicate whether a string ends with a word suffix (case-insensitive, word boundary matching). | No | "value" hassuffix "test" |
!hassuffix | Negation of hassuffix | No | |
hassuffix_cs | Indicate whether a string ends with a word suffix (case-sensitive, word boundary matching). | Yes | "value" hassuffix_cs "test" |
!hassuffix_cs | Negation of hassuffix_cs | Yes | |
matches regex | Returns true if the string matches the regular expression pattern. | No | "value" matches regex "test" |
startswith | Indicate whether a string starts with another string (case-insensitive). | No | "value" startswith "test" |
!startswith | Negation of startswith | No | |
startswith_cs | Indicate whether a string starts with another string (case-sensitive). | Yes | "value" startswith_cs "test" |
!startswith_cs | Negation of startswith_cs | Yes |
Function call syntax
Most string operators can also be called as functions (except multi-word operators like matches regex). For example:
T | where contains(name, "search")is equivalent to:
T | where name contains "search"