Logical operators join two sub-expressions together. These sub-expressions can consist of keywords, wildcards, phrases, or other expressions, possibly parenthetically nested to change the order of evaluation.
| This is the default logical conjunctive operator. InformationExample XX and YY match any message that contains both XX and YY in any order within the message. Both the left and the right operands to the and operator must be present somewhere within the message. |
| This is the logical or operator. InformationExample The correlation match expression AA or BB or CC matches the message if it contains any of the three keywords in any order within the message. Either the left or the right operands to the or operator, or both operands, must be present somewhere within the message. |
| This is the logical exclusive or operator that matches the message if either the left or right operands appear in the message, but not both operands. InformationExample QQ XOR RR matches the message value of qq and matches the message value of rr, but does not match the message value of qq rr or the message rrqq exists. The xor operator is not used that often, however, is invaluable when required. |
| This is the logical negation operator that indicates that the keyword or phrase following the operator must not match. InformationExample Not ZZ matches any message that does not contain the keyword ZZ. Likewise, the correlation match expression NOT AA and NOT BB and NOT CC matches any message that does not contain all the three specified keywords. The correlation match expression NOT AA or NOT BB or NOT CC matches any message that contains any of the specified keywords. |
The and, or, and xor operators each require left and right arguments. The not operator requires only a right argument. The associative, distributive, and redundancy laws of Boolean logic are strictly followed, as expected. For instance, (NOT AA) AND (NOT BB) is the same as NOT (AA OR BB).
