Operators

The Zeek scripting language supports the following operators. Note that each data type only supports a subset of these operators. For more details, see the documentation about the data types.

Relational operators

The relational operators evaluate to type bool.

In addition to numeric operands, the relational operators also work with operands of type interval, time, string, port, addr, and set.

Name	Syntax
Equality	`a == b`
Inquality	`a != b`
Less than	`a < b`
Less than or equal	`a <= b`
Greater than	`a > b`
Greater than or equal	`a >= b`

Logical operators

The logical operators require operands of type bool, and evaluate to type bool.

Name	Syntax
Logical AND	`a && b`
Logical OR	`a \|\| b`
Logical NOT	`! a`

Arithmetic operators

Name	Syntax	Notes
Addition	`a + b`	For `string` operands, this performs string concatenation.
Subtraction	`a - b`
Multiplication	`a * b`
Division	`a / b`	For `int` or `count` operands, the fractional part of the result is dropped.
Remainder	`a % b`	Operand types cannot be `double`. This is remainder, not `modulo`, which behaves differently for negative numbers.
Unary plus	`+a`
Unary minus	`-a`
Pre-increment	`++a`	Operand type cannot be `double`.
Pre-decrement	`--a`	Operand type cannot be `double`.
Absolute value	`\|a\|`	If operand is `string`, `set`, `table`, or `vector`, this evaluates to number of elements.

Bitwise operators

The bitwise operators work with operands of type count or vector of count. The bitwise shift operators can also work with int. The bitwise complement operator works with count only.

Name	Syntax
Bitwise AND	`a & b`
Bitwise OR	`a \| b`
Bitwise XOR	`a ^ b`
Bitwise left shift	`a << b`
Bitwise right shift	`a >> b`
Bitwise complement	`~a`

Set operators

Name	Syntax
Set intersection	`s1 & s2`
Set union	`s1 \| s2`
Set difference	`s1 - s2`

Assignment operators

The assignment operators evaluate to the result of the assignment.

Name	Syntax
Assignment	`a = b`
Addition assignment (more generally, “add to”)	`a += b`
Subtraction assignment (more generally, “remove from”)	`a -= b`

Along with simple arithmetic, the += operator supports adding elements to table, set, vector, and pattern values, providing the righthand operand (RHS) has the same type. For table and set values, each of the RHS elements are added to the table or set. For vector, the RHS elements are appended to the end of the vector. For pattern values, the pattern is modified to include the RHS pattern as an alternative (regular expression | operator).

The -= operator provides analogous functionality for table and set types, removing from the lefthand operand any elements it has in common with the RHS value. (Note that for tables, only the indices are used; if the RHS value has an index in common with the lefthand operand’s value, it’s removed even if the “yield” values differ.)

For all assignment operators, you can specify a comma-separated list of values within braces ({ … }). These are treated as constructor arguments to create a corresponding table, set, or vector value, with the type of constructor taken from the lefthand operand. For example:

local t: table[count, string] of double;
...
t += { [3, "three"] = 3.0, [9, "nine"] = 9.0 };

will add those two elements to the table t. For table and set constructors, you can embed lists in the constructor arguments to produce a cross-product expansion. For example:

local t: table[count, string] of double;
...
t += { [[3, 4], ["three", "four"]] = 3.0, [9, "nine"] = 9.0 };

results in t having five elements:

[3, three] = 3.0
[3, four] = 3.0
[4, three] = 3.0
[4, four] = 3.0
[9, nine] = 9.0

Finally, you can also use the += operator to append an element to the end of a vector. For example, v += e is equivalent to v[|v|] = e, providing that e’s type corresponds to that of one of v’s elements.

Record field operators

The record field operators take a record as the first operand, and a field name as the second operand. For both operators, the specified field name must be in the declaration of the record type.

Name	Syntax	Notes
Field access	`a$b`
Field value existence test	`a?$b`	Evaluates to type `bool`. True if the specified field has been assigned a value, or false if not.

Pattern operators

In the table below, p is a pattern, and s is a string.

Name	Syntax	Notes
Exact matching	`p == s`	Evaluates to a boolean, indicating if the entire string exactly matches the pattern.
Embedded matching	`p in s`	Evaluates to a boolean, indicating if pattern is found somewhere in the string.
Conjunction	`p1 & p2`	Evaluates to a pattern that represents matching `p1` followed by `p2`.
Disjunction	`p1 \| p2`	Evaluates to a pattern that represents matching `p1` or `p2`.

Type casting

The as operator performs type casting and the ?as operator checks if a type cast is supported or not. In addition, you can check for the underlying type of a value of nominal type any using the is operator. For all three operators, the first operand is a value and the second operand is the name of a Zeek script type (either built-in or user-defined).

Name	Syntax	Notes
Type cast	`v as t`	Cast value `v` into type `t`. Evaluates to the value as cast to the specified type. If this is not a supported cast, then a runtime error is triggered.
Check if a cast is supported	`v ?as t`	Evaluates to `bool`. If true, then the conversion `v as t` will succeed.
Check the underlying type of an `any` value:	`v is t`	Evaluates to `bool`. If true, then `v as t` will always succeed.

Zeek supports the following type casts:

All values can be cast to their declared types (i.e., this is a no-op).
A value of declared type any can be cast to its actual underlying type.
string types can be cast to double, int, count, addr, subnet, or port.
int can be cast to double or count.
count can be cast to double, int, or addr.
port can be cast to count.
double can be cast to time, interval, int, or count. Note that the conversions to integral values use round-to-nearest (with ties broken using round-to-even), so 42.7 as count evaluates to 43, 42.5 as count evaluates to 42, and 43.5 as count evaluates to 44.
enum can be cast to int or count.
interval and time can be cast to double (but not directly to each other).
addr can be cast to subnet.
subnet can be cast to addr or count (for this last, see subnet_width).
set and vector values can be converted into each other, with the following limitations: (1) A set being converted into a vector can only have a single index type. Converting a set with multiple index types will return an error. (2) The set and vector types must have the same internal type.
Broker values (i.e., Broker::Data values returned from functions such as Broker::data) can be cast to their corresponding Zeek script types.

Some of the above conversions only succeed if the value is well-formed. For example, to convert a string value to an addr, the string must reflect a dotted-quad for an IPv4 address, or a hexadecimal-colon sequence for an IPv6 address.

The function in this example converts a set to a vector:

function example()
    {
    local s = set(1, 2, 3);
    local v = s as vector of count;
    }

The function in this example casts an any value to its underlying string if that is indeed its underlying type:

function example(a: any)
    {
    local s: string;

    if ( a is string )
        s = a as string;
    }

This similar code block will convert the any to an integer if its underlying value is a type (not necessarily an integer) that can be safely converted to an integer:

function example(a: any)
    {
    local i: int;

    if ( a ?as int )
        i = a as int;
    }

This final example will convert c to an integer providing c’s value does not exceed the maximum value that an int can hold:

function example(c: count)
    {
    local i: int;

    if ( c ?as int )
        i = c as int;
    }

Other operators

Name	Syntax	Notes
Membership test	`a in b`	Evaluates to type `bool`. Works with `string`, `pattern`, `subnet`, `set`, `table`, or `vector` operands. Do not confuse this use of `in` with that used in a `for` statement.
Non-membership test	`a !in b`	This is the logical NOT of the `in` operator. For example: `a !in b` is equivalent to `!(a in b)`.
Table or vector element access	`a[b]`	This operator can also be used with a `set`, but only with the `add` or `delete` statement.
Substring extraction	`a[b:c]`	See the `string` type for more details.
Create a deep copy	`copy(a)`	This is relevant only for data types that are assigned by reference, such as `vector`, `set`, `table`, and `record`.
Module namespace access	`a::b`	The first operand is the module name, and the second operand is an identifier that refers to a global variable, enumeration constant, or user-defined type that was exported from the module.
Conditional	`a ? b : c`	The first operand must evaluate to type `bool`. If true, then the second expression is evaluated and is the result of the entire expression. Otherwise, the third expression is evaluated and is the result of the entire expression. The types of the second and third operands must be compatible. Known as the ternary operator.