On This Page

Home / Search/ Language Reference/ Operators/ Filter Operators/between

between

The between operator returns events that fall within an inclusive range of numeric, datetime, or timespan values. Use between when you want a compact, readable alternative to chained comparison expressions such as:

expr >= left AND expr <= right.

You’ll typically use between with the where operator.

Syntax

betweenExpression: (BANG?) BETWEEN OPEN_PAREN leftRange RANGE rightRange CLOSE_PAREN;

leftRange: numericLiteral | stringLiteral | datetimeExpression;

rightRange: numericLiteral | stringLiteral | datetimeExpression | timespanLiteral;

Arguments

  • Scope: The set of events being filtered, usually produced by a Dataset selection such as dataset="cribl_search_sample" or another upstream operator.
  • Expr: A scalar expression to evaluate for each event. Supported types: numeric, decimal, double, int, long, real, datetime, or timespan.
  • LeftRange: A scalar expression of the same type as Expr, specifying the inclusive lower bound of the range.
  • RightRange: A scalar expression specifying the inclusive upper bound of the range. Supported types: Same type as Expr (numeric, datetime, or timespan), or timespan only when Expr and LeftRange are both datetime values (for example, StartTime between (datetime(2025-01-01) .. 3d)).
  • Bang (!): When present (as !between), inverts the condition so that events are kept only when Expr is outside the [LeftRange .. RightRange] interval.

Behavior

  • Inclusive bounds: Expr between (LeftRange .. RightRange) is equivalent to Expr >= LeftRange and Expr <= RightRange. Events where Expr equals either endpoint are included in the results.
  • Supported types:
    • Numeric: int, long, real/double/decimal
    • Temporal: datetime versus datetime ranges, datetime versus datetime, timespan ranges (for example, “start at this date, for 3 days”).
  • Logical negation: To exclude a range, wrap between in a ! expression:
    | where (Expr. !between (LeftRange .. RightRange))

Examples

Numeric Range Filter

Filter data where field falls between 10 and 50 (inclusive):

dataset="$vt_dummy" field< 100
| where event between (10 .. 50)

Equivalent explicit comparison:

dataset="$vt_dummy" field< 100
| where event >= 10 and event <= 50

Datetime Range Filter

Return internal logs with _time in a specific date range:

dataset="cribl_internal_logs"
| where _time between (
    datetime(2025-01-01T00:00:00Z)
    ..
    datetime(2025-01-02T00:00:00Z)
)

Datetime Plus Timespan

Filter events starting on or after a given date and within a 3-day window:

dataset="cribl_internal_logs"
| where _time between (
    datetime(2025-01-01T00:00:00Z)
    ..
    3d
)

In this pattern:

  • _time is datetime.
  • The left bound is datetime.
  • The right bound is a timespan (3d), which is allowed when both _time and the left bound are datetime values.