Operators

The Zeek scripting language supports the following operators. Note that each data type only supports a subset of these operators. For more details, see the documentation about the data types.

Relational operators

The relational operators evaluate to type bool.

In addition to numeric operands, the relational operators also work with operands of type interval, time, string, port, addr, and set.

Name

Syntax

Equality

a == b

Inquality

a != b

Less than

a < b

Less than or equal

a <= b

Greater than

a > b

Greater than or equal

a >= b

Logical operators

The logical operators require operands of type bool, and evaluate to type bool.

Name

Syntax

Logical AND

a && b

Logical OR

a || b

Logical NOT

! a

Arithmetic operators

Name

Syntax

Notes

Addition

a + b

For string operands, this performs string concatenation.

Subtraction

a - b

Multiplication

a * b

Division

a / b

For int or count operands, the fractional part of the result is dropped.

Modulo

a % b

Operand types cannot be double.

Unary plus

+a

Unary minus

-a

Pre-increment

++a

Operand type cannot be double.

Pre-decrement

--a

Operand type cannot be double.

Absolute value

|a|

If operand is string, set, table, or vector, this evaluates to number of elements.

Bitwise operators

The bitwise operators work with operands of type count or vector of count, but the bitwise complement operator works with count only.

Name

Syntax

Bitwise AND

a & b

Bitwise OR

a | b

Bitwise XOR

a ^ b

Bitwise complement

~a

Set operators

Name

Syntax

Set intersection

s1 & s2

Set union

s1 | s2

Set difference

s1 - s2

Assignment operators

The assignment operators evaluate to the result of the assignment.

The += operator can also be used to append an element to the end of a vector. For example, v += e is equivalent to v[|v|] = e.

Name

Syntax

Assignment

a = b

Addition assignment

a += b

Subtraction assignment

a -= b

Record field operators

The record field operators take a record as the first operand, and a field name as the second operand. For both operators, the specified field name must be in the declaration of the record type.

Name

Syntax

Notes

Field access

a$b

Field value existence test

a?$b

Evaluates to type bool. True if the specified field has been assigned a value, or if not.

Pattern operators

In the table below, p is a pattern, and s is a string.

Name

Syntax

Notes

Exact matching

p == s

Evaluates to a boolean, indicating if the entire string exactly matches the pattern.

Embedded matching

p in s

Evaluates to a boolean, indicating if pattern is found somewhere in the string.

Conjunction

p1 & p2

Evaluates to a pattern that represents matching p1 followed by p2.

Disjunction

p1 | p2

Evaluates to a pattern that represents matching p1 or p2.

Type casting

The as operator performs type casting and the is operator checks if a type cast is supported or not. For both operators, the first operand is a value and the second operand is the name of a Zeek script type (either built-in or user-defined).

Name

Syntax

Notes

Type cast

v as t

Cast value v into type t. Evaluates to the value as cast to the specified type. If this is not a supported cast, then a runtime error is triggered.

Check if a cast is supported

v is t

Evaluates to bool. If true, then v as t would succeed.

Only the following kinds of type casts are supported currently:

  • Broker values (i.e., Broker::Data values returned from functions such as Broker::data) can be cast to their corresponding Zeek script types.

  • A value of declared type any can be cast to its actual underlying type.

  • All values can be cast to their declared types (i.e., this is a no-op).

The function in this example tries to cast a value to a string:

function example(a: any)
    {
    local s: string;

    if ( a is string )
        s = (a as string);
    }

Other operators

Name

Syntax

Notes

Membership test

a in b

Evaluates to type bool. Works with string, pattern, subnet, set, table, or vector operands. Do not confuse this use of in with that used in a for statement.

Non-membership test

a !in b

This is the logical NOT of the in operator. For example: a !in b is equivalent to !(a in b).

Table or vector element access

a[b]

This operator can also be used with a set, but only with the add or delete statement.

Substring extraction

a[b:c]

See the string type for more details.

Create a deep copy

copy(a)

This is relevant only for data types that are assigned by reference, such as vector, set, table, and record.

Module namespace access

a::b

The first operand is the module name, and the second operand is an identifier that refers to a global variable, enumeration constant, or user-defined type that was exported from the module.

Conditional

a ? b : c

The first operand must evaluate to type bool. If true, then the second expression is evaluated and is the result of the entire expression. Otherwise, the third expression is evaluated and is the result of the entire expression. The types of the second and third operands must be compatible. Known as the ternary operator.