Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Comparing values with operators in LEM filters and rules

Comparing values with operators in LEM filters and rules

Updated: September 15, 2017

This topic documents how to use operators to create custom filter and rule expressions in LEM.

About operators in LEM

When configuring a LEM rule or a filter, if you drag an item from the list pane and position it next to an event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to the rule's or filter’s conditions. For example, an operator might state that an event must be contained within a Time of Day Set, or it may state that an event only applies to a particular Connector Profile.

There are two types of operators: Condition and Group.

  • Condition operators are found between your events and their values. Examples include Equals, Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that are available for the values in your Correlations.
  • Group operators are found outside of your correlation groups. The two options are And (blue) and Or (orange).

The operators that appear between two elements vary depending on your selections. The creation form only allows comparisons that are logical for the specified elements.

Select a new operator

There are two ways to select an operator for a condition:

  • Ctrl+click the operator to open a menu of valid operators, and then click the operator that you want to use.
  • Click the operator to cycle through the options that are valid for the current condition.

Operator tips

The following tips apply to operators:

  • When comparing two numeric values, the full range of mathematical operator options is available.
  • An IP address is treated as a string (or text) value. Therefore, operators are limited to “equal” and “not equal.”
  • DateTime fields have a default value of “> Time Now”, which means, greater than the current date and time.

Table of operators

The following table describes each operator and how it should be interpreted when used as a filter condition.

A list item (indicated with an * in the following table) can be another event variable, such as an event field. For example, you may want to evaluate if an event's source is equal to a certain destination. In this case, you would compare two event fields, such as SourceMachine = DestinationMachine.

Operator Meaning Description



Use these operators to specify if a particular event or Event Group exists. Read conditions with these operators as follows: “This [event/Event Group] must [exist/not exist].”

"Not exist" is only used in rules.


Not exist


is in

Use these operators when comparing event fields with groups (such as Event Groups, User-Defined Groups, etc.). They determine the filter’s behavior, based on whether or not the field is contained a specific Group.

Read conditions with these operators as follows:

  • This [event field] must be in this [Group].
  • This [event field] must not be in this [Group].


is not in



Read conditions with these operators as follows:

  • This [event variable] must equal this [list item*].
  • This [event variable] must not equal this [list item*].

Text comparisons (for IP addresses, host names, etc.) are limited to “equal” or “not equal” operators.


Does not equal


Greater than

Read conditions with these operators as follows:

  • This [event variable] must be greater than this [list item*].
  • This [event variable] must be greater than or equal to this [list item*].
  • This [event variable] must be less than this [list item*].
  • This [event variable] must be less than or equal to this [list item*].


Greater than OR equal to


Less than


Less than OR
equal to


Conditions and groups of conditions are subject to AND and OR comparisons.

  • The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups.
  • The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct events, you must use the OR symbol.

If you click an AND operator, it changes to an OR, and vice versa.


Examples of AND and OR conditions

Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. Both AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations.

Example Description
If x AND y AND z occur, report the event. If all of the conditions apply, report the event.
If x OR y OR z occurs, report the event. If any of the conditions apply, report the event.
If (x AND y) OR z occurs, report the event.

If conditions x and y occur, or if condition z occurs, report the event.

If (a AND b) OR (x AND y) OR (z), occurs, report the event.

In this case, you would create three groups, two nested within the third:

  • The nested groups are configured as (a AND b) and
    (x AND y), joined with an OR.
  • The outer group is configured as (z), surrounding the nested groups with an OR.
“Condition1” AND
“Condition2 AND Condition3” OR
“Condition4 AND Condition5.”
In this example, the filter reports the event when it meets the following conditions:
Condition1 and Condition2 and Condition3, or
Condition1 and Condition4 and Condition5.
Last modified