Operators are used to transition between operations or expressions. The following fundamental operators are used between operations:
The output set of events of the left side operation is the input set of events for the right side operation. Flow is typically used to transition from one correlation operation to the next.
For example:
filter(e.sev = 5) flow trigger(3, 60)
The output of the filter operation is the input of the trigger operation. The trigger only counts 3 events with severity equal to 5.
The union operator is the union of the left side operation output set and the right side operation output set. The resulting output set contains events from either the left side operation output set or the right side operation output set, without duplicates.
For example:
filter(e.sev = 5) union filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 or e.sip = 10.0.0.1)
The intersection operator is the intersection of the left side operation output set and the right side operation output set. The resulting output set contains events that are common to both the left side operation output set and the right side operation output set without duplicates.
For example:
filter(e.sev = 5) intersection filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 and e.sip = 10.0.0.1)