Operators
The Zeek scripting language supports the following operators. Note that each data type only supports a subset of these operators. For more details, see the documentation about the data types.
Relational operators
The relational operators evaluate to type bool
.
In addition to numeric operands, the relational operators also work with
operands of type interval
, time
, string
,
port
, addr
, and set
.
Name |
Syntax |
---|---|
Equality |
|
Inquality |
|
Less than |
|
Less than or equal |
|
Greater than |
|
Greater than or equal |
|
Logical operators
The logical operators require operands of type bool
, and
evaluate to type bool
.
Name |
Syntax |
---|---|
Logical AND |
|
Logical OR |
|
Logical NOT |
|
Arithmetic operators
Name |
Syntax |
Notes |
---|---|---|
Addition |
|
For |
Subtraction |
|
|
Multiplication |
|
|
Division |
|
For |
Modulo |
|
Operand types cannot be |
Unary plus |
|
|
Unary minus |
|
|
Pre-increment |
|
Operand type cannot be |
Pre-decrement |
|
Operand type cannot be |
Absolute value |
|
If operand is |
Bitwise operators
The bitwise operators work with operands of type count
or vector
of count
. The bitwise shift operators can also work with int
.
The bitwise complement operator works with count
only.
Name |
Syntax |
---|---|
Bitwise AND |
|
Bitwise OR |
|
Bitwise XOR |
|
Bitwise left shift |
|
Bitwise right shift |
|
Bitwise complement |
|
Set operators
Name |
Syntax |
---|---|
Set intersection |
|
Set union |
|
Set difference |
|
Assignment operators
The assignment operators evaluate to the result of the assignment.
Name |
Syntax |
---|---|
Assignment |
|
Addition assignment (more generally, “add to”) |
|
Subtraction assignment (more generally, “remove from”) |
|
Along with simple arithmetic, the +=
operator supports adding elements to
table
,
set
,
vector
, and
pattern
values, providing the righthand operand (RHS) has the same type.
For table
and set
values,
each of the RHS elements are added to the
table or set. For vector
, the RHS elements are appended to
the end of the vector. For pattern
values, the pattern is
modified to include the RHS pattern as an alterantive (regular expression |
operator).
The -=
operator provides analogous functionality for table
and set
types, removing from the lefthand operand any elements
it has in common with the RHS value. (Note that for tables, only the
indices are used; if the RHS value has an index in common with the lefthand
operand’s value, it’s removed even if the “yield” values differ.)
For all assignment operators, you can specify a comma-separated list of
values within braces ({
… }
). These are treated as constructor
arguments to create a corresponding table
, set
,
or vector
value, with the type of constructor taken from
the lefthand operand. For example:
local t: table[count, string] of double;
...
t += { [3, "three"] = 3.0, [9, "nine"] = 9.0 };
will add those two elements to the table t
. For table
and set
constructors, you can embed lists in the constructor
arguments to produce a cross-product expansion. For example:
local t: table[count, string] of double;
...
t += { [[3, 4], ["three", "four"]] = 3.0, [9, "nine"] = 9.0 };
results in t
having five elements:
[3, three] = 3.0
[3, four] = 3.0
[4, three] = 3.0
[4, four] = 3.0
[9, nine] = 9.0
Finally, you can also use the +=
operator to
append an element to the end of a
vector. For example, v += e
is equivalent to v[|v|] = e
,
providing that e
’s type corresponds to that of one of v
’s elements.
Record field operators
The record field operators take a record
as the first operand,
and a field name as the second operand. For both operators, the specified
field name must be in the declaration of the record type.
Name |
Syntax |
Notes |
---|---|---|
Field access |
|
|
Field value existence test |
|
Evaluates to type |
Pattern operators
In the table below, p
is a pattern, and s
is a string.
Name |
Syntax |
Notes |
---|---|---|
Exact matching |
|
Evaluates to a boolean, indicating if the entire string exactly matches the pattern. |
Embedded matching |
|
Evaluates to a boolean, indicating if pattern is found somewhere in the string. |
Conjunction |
|
Evaluates to a pattern that represents matching |
Disjunction |
|
Evaluates to a pattern that represents matching |
Type casting
The as
operator performs type casting and the is
operator checks if a
type cast is supported or not. For both operators, the first operand is a
value and the second operand is the name of a Zeek script type (either built-in
or user-defined).
Name |
Syntax |
Notes |
---|---|---|
Type cast |
|
Cast value |
Check if a cast is supported |
|
Evaluates to |
Only the following kinds of type casts are supported currently:
Broker values (i.e.,
Broker::Data
values returned from functions such asBroker::data
) can be cast to their corresponding Zeek script types.A value of declared type
any
can be cast to its actual underlying type.All values can be cast to their declared types (i.e., this is a no-op).
The function in this example tries to cast a value to a string:
function example(a: any)
{
local s: string;
if ( a is string )
s = (a as string);
}
Other operators
Name |
Syntax |
Notes |
---|---|---|
Membership test |
|
Evaluates to type |
Non-membership test |
|
This is the logical NOT of the |
Table or vector element access |
|
This operator can also be used with a |
Substring extraction |
|
See the |
Create a deep copy |
|
This is relevant only for data types that are assigned by reference, such
as |
Module namespace access |
|
The first operand is the module name, and the second operand is an identifier that refers to a global variable, enumeration constant, or user-defined type that was exported from the module. |
Conditional |
|
The first operand must evaluate to type |