Less common operators

Sometimes you aren't sure what you are looking for, but you know what you are not looking for and you want to eliminate that from the view.

In these cases you will want to use the operators LIKE, IS, IN, and NOT. This article will show you how to get those operators to work for you using commonly-used examples.


LIKE can be used for pattern matching. This does not work for any number and can only be used for text fields. (i.e. host, username, hostname)

     NOTE: Use the wildcard % either before the text, after the text, or both.

     Example: Host LIKE %ama% will return any session where "ama" is in the host field, including www.amazon.com, m.media-amazon.com, www.amanet.org, etc.


IS requires an exact match and can be difficult to use. For NG Firewall reporting purposes, it is best to use IS when searching for a NULL value. 

     Example: username IS NULL will return any session where the username field is blank. 

Since IS requires an exact match, using NOT with it can be very useful to narrow down a search.

     Example: username IS NOT NULL will return any session where the username field is not blank. 


IN is fantastic for use in NG Firewall because every condition you add is an AND condition, which means that every condition needs to be true in order for any results to be returned.

Using the IN condition allows you to look for any one of a number of results. Example: if you are looking for any session that was sent to server port 53 OR 22 OR 80. You can do this in NG Firewall using the IN operator. 

     NOTE: You must place () around the argument and use commas to separate the number, with no spaces. 

     Example: server port IN (53,22,80) will return only sessions where the server port was either 53, 22, OR 80. 


NOT is an operator that only works in conjunction with IS, LIKE, and IN. NOT is used to negate a condition. NOT IN, IS NOT, NOT LIKE. Please note that the IS NOT operator can only take a single value, so you cannot add multiple values to that operator.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Article is closed for comments.

Powered by Zendesk