ALQL operators
This page describes information about operators that are used for advanced searching in the audit log.
An operator in Audit Log Query Language (ALQL) is one or more symbols or words, which compares the value of a field on its left with one or more values (or functions) on its right, and returns only the results that match. Some operators may use the NOT keyword.
Some operators can only be used with certain fields. To see a field's supported operators, check the individual field reference. ALQL fields
指定した値と等しい (=)
The equals (=) operator searches for events where the value of the specified field exactly matches the value you provide.
You can also search for activities where the value of a specified field exactly matches multiple values by using multiple equals = statements with the AND operator.
例
Find all events triggered by Fran Perez:
actor = "Fran Perez"Find all events triggered by Fran Perez and all events triggered by Jie Song:
actor = "Fran Perez" AND actor = "Jie Song"指定した値と等しくない (!=)
The not equals (!=) operator searches for events where the value of the specified field doesn’t match the exact value you provide.
注意:
typing
field != valueis the same as typingNOT field = valuetyping
field != EMPTYis the same asfield IS NOT EMPTY
例
Find all events triggered by any actor except Fran Perez:
actor != "Fran Perez"Find events that have no region associated with them:
region IS NOT EMPTY指定した値より大きい (>)
The greater than (>) operator searches for events where the value of the specified field is greater than the value you provide.
例
Find all events created after December 7, 2025.
created > "2025-12-07"Greater than or equals (>=)
The greater than or equals (>=) operator searches for events where the value of the specified field is greater than or equal to the value you provide.
例
Find all events created on or after December 7, 2025.
created >= "2025-12-07"指定した値より小さい (<)
The less than (<) operator searches for events where the value of the specified field is less than the value you provide.
例
Find all events created before December 7, 2025.
created < "2025-12-07"Less than or equals (<=)
The less than or equals (<=) operator searches for events where the value of the specified field is less than or equal to the value you provide.
例
Find all events created on or before December 7, 2025.
created <= "2025-12-07"IN
The IN operator searches for events where the value of the specified field is one of multiple specified values. You can enter multiple values as a comma-delimited list, surrounded by parentheses.
Using IN is equivalent to using multiple equals (=) statements, but is shorter and more convenient.
例
Find all audit log events related to these three activities:
activity in (user_removed_from_group, api_token_revoked, api_keys_searched)または
activity = user_removed_from_group OR activity = api_token_revoked OR activity = api_keys_searchedNOT IN
The NOT IN operator searches for events where the value of the specified field is not one of multiple specified values.
例
Find all activities where the actor is someone other than Fran Prerez, Jie Song, or Omar Darboe:
actor NOT IN ("Fran Perez", "Jie Song", "Omar Darboe")または
actor != "Fran Perez" AND actor != "Jie Song" AND actor != "Omar Darboe"Contains (~)
The contains (~) operator searches for events where the value of the specified field matches the specified value as either an exact match or a fuzzy match (see examples below).
例
Find all events where the IP address contains the string 172 anywhere within it:
ip address ~ "172"Find all events where the IP address begins with 172 and contains a wildcard match for the remaining parts of the address:
ip address ~ "172.*.*.*"Find all events where the IP address is an IP4 address:
ip address ~ "*.*.*.*"Find all events where the activity contains the word "add" (or derivatives of that word, such as "added" or "adding"):
activity ~ "add"Find all events where a user was invited to a site, an organization, or anything else.
activity ~ "user_invited"Note that in the activity examples above, ALQL presents a list of available matches as you type. When you select from the list, ALQL adds the activity string to your query. Audit log activities database
Does not contain (!~)
The does not contain (!~) operator searches for events where the value of the specified field is not a fuzzy match for the specified value.
例
Find all events where the activity does not contain the word "add" (or derivatives of that word, such as "added" or "adding"):
activity !~ "add"Find all events where the IP address does not contain 172:
ip address !~ "172"IS
The IS operator can only be used with EMPTY, where the specified field has no value.
例
Find all events that have no region associated with them:
region IS EMPTYIS NOT
The IS NOT operator can only be used with EMPTY, where the specified field has a value.
例
Find all events that have no IP address associated with them:
'ip address' IS NOT empty
この内容はお役に立ちましたか?