Conditional Statements

This table offers sample conditional expressions you can create using various operators, event fields, and data types.

Data Types in Conditional Statements
ArcSight Data Types	Description
Number or Integer, including MAC Address	Using numeric (integer) fields, you can specify operators including `=`, `!=`, `<`, `<=`, `>=`, `>`, and In to specify a numeric comparison expression, for example: `CustomNumber1 = 50`. To use `In`, you can specify any number of comma-separated values to match (or equal). Use the above operators for MAC addresses, for example: `Attacker Mac Address !=` <Mac address>
String	Using string fields, you can specify operators including `=`, `!=`, and `In`, `Contains`, `Matches`, `Starts With`, `Ends With`, and `Like` to define a string comparison expression. For example: `ArcSightCategory StartsWith /Attack or ArcSightCategory = /AttackSuccess`
DateTime	Using DateTime fields, you can specify operators including `=`, `!=`, `Between`, `In`, and `On` to specify a datetime comparison expression. For example: `DetectTime Between 4/1/03 11:30:01AM, 4/1/03 4:30:01PM`. You can enter DateTime values directly or click the ellipsis (...) button to select a date from a pop-up calendar or a special date keyword list. Special date keywords you can use are: `Now`, `1 or 2 hours ago`, `1 or 2 days ago`, `1 or 2 weeks ago`, or a replay start and end time. You can also use special system variables such as: `$CurrentDateTime`: for the date and time the report is run; the system variable is replaced by the current date and time value. `$CurrentDate`: for the date the report is run; the system variable is replaced with the date value, truncating the time of the day to 0, when the report is scheduled or run. You can specify certain date operations with these system variables to add or subtract a number of specified days or hours. For example, you could type: `$CurrentDate - 7d` for seven days before the date the report is run, the condition evaluates to a date which is the current date minus seven days, or `$CurrentDateTime - 12h`, which evaluates to the current date time minus 12 hours.
IP Address	Using IP address fields, you can specify operators including `=`, `!=`, `In`, `InSubnet`, and `Between` to specify an IP comparison expression. For example: `TargetAddress = 192.0.2.0`. With the `In` operator, you can also specify a comma-separated list of IP addresses to match. With `InSubnet`, you can specify an address range. For IP address range formats, see IP Address Ranges. Caution: For the `InSubnet` operator, do not mix IPv4 and IPv6 addresses within the same IP address range.

These same rules apply to the conditions editor used in defining rules, creating conditional reports, and filters.

Tip: Using variables

You can use all of the dynamic time parameters you see in the Active Channel Editor and elsewhere, such as $Now and $CurrentDateTime. The same is true for time elements, including s (second), m (minute), d (date), M (month), w (week), and y (year). To use any event data field as a variable, express its displayed name as a one-word, camel case string prefixed with a dollar sign; for example, "Source Address" is $sourceAddress. See the complete discussion in the topic Variables.