Skip to main content
Sumo Logic

filter operator

Use the filter operator to filter the output of a search based on the filtering criteria of a child query. The filter operator keeps only the records that match the filter criteria, allowing you to restrict search results to the most relevant information.

Syntax

"filter" <fieldname>+ in (<child_query>)
<child_query> ::= (non data-retrieval sumo query )
<fieldname> ::= (name of a field)

Caveats

  • Filter operator must follow an aggregate operator.
  • All the fields must be present in the output fields for the child query.
  • The compare operator and filter operator are not supported in the child query. 
  • The filter operator can be used instead of the where operator.

Limitations

The operator can process up to 100,000 data points for a single query. It automatically drops the data points that exceed the limit and issues a warning. 

Examples

Show all source hosts with outlier violations

_sourceCategory=HttpServers
| timeslice 1m
| count by _timeslice, _sourceHost
| filter _sourcehost in (outlier _count by _sourceHost | where _count_violation > 0)
| transpose row _timeslice column _sourcehost

Show top two source hosts with the most messages

_sourceCategory=HttpServers
| timeslice 1m
| count by _timeslice, _sourceHost
| filter _sourcehost in (sum(_count) by _sourceHost | top 2 _sourceHost by _sum )
| transpose row _timeslice column _sourcehost

Show top three source hosts with most outlier violations

_sourceCategory=HttpServers
| timeslice 1m
| count by _timeslice, _sourceHost
| filter _sourcehost in (outlier _count by _sourceHost | sum(_count_violation) by _sourcehost | top 3 _sourceHost by _sum )
| transpose row _timeslice column _sourcehost