PPL expressions

Note

To see which AWS data source integrations support this PPL function, see Functions.

Expressions, particularly value expressions, return a scalar value. Expressions have different types and forms. For example, there are literal values as atom expressions and arithmetic, predicate and function expressions built on top of them. You can use expressions in different clauses, such as using arithmetic expressions in Filter and Stats commands.

Operators

An arithmetic expression is an expression formed by numeric literals and binary arithmetic operators as follows:

+: Add.
-: Subtract.
*: Multiply.
/: Divide (For integers, the result is an integer with the fractional part discarded)
%: Modulo (Use with integers only; the result is the remainder of the division)

Precedence

Use parentheses to control the precedence of arithmetic operators. Otherwise, operators of higher precedence are performed first.

Type conversion

Implicit type conversion is performed when looking up operator signatures. For example, an integer + a real number matches signature +(double,double) which results in a real number. This rule also applies to function calls.

Example for different type of arithmetic expressions:


os> source=accounts | where age > (25 + 5) | fields age ;
fetched rows / total rows = 3/3
+-------+
| age   |
|-------|
| 32    |
| 36    |
| 33    |
+-------+

Predicate operators

A predicate operator is an expression that evaluates to be true. The MISSING and NULL value comparison follow these rules:

A MISSING value only equals a MISSING value and is less than other values.
A NULL value equals a NULL value, is larger than a MISSING value, but is less than all other values.

Operators

Predicate operators
Name	Description
`>`	Greater than operator
>=	Greater than or equal operator
`<`	Less than operator
`!=`	Not equal operator
`<=`	Less than or equal operator
`=`	Equal operator
`LIKE`	Simple pattern matching
`IN`	NULL value test
`AND`	AND operator
`OR`	OR operator
`XOR`	XOR operator
`NOT`	NOT NULL value test

You can compare datetimes. When comparing different datetime types (for example DATE and TIME), both convert to DATETIME. The following rules apply to conversion:

TIME applies to today's date.
DATE is interpreted at midnight.

Basic predicate operator

Example for comparison operators:


os> source=accounts | where age > 33 | fields age ;
fetched rows / total rows = 1/1
+-------+
| age   |
|-------|
| 36    |
+-------+

`IN`

Example of the IN operator test field in value lists:


os> source=accounts | where age in (32, 33) | fields age ;
fetched rows / total rows = 2/2
+-------+
| age   |
|-------|
| 32    |
| 33    |
+-------+

`OR`

Example of the OR operator:


os> source=accounts | where age = 32 OR age = 33 | fields age ;
fetched rows / total rows = 2/2
+-------+
| age   |
|-------|
| 32    |
| 33    |
+-------+

`NOT`

Example of the NOT operator:


os> source=accounts | where age not in (32, 33) | fields age ;
fetched rows / total rows = 2/2
+-------+
| age   |
|-------|
| 36    |
| 28    |
+-------+

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions