where

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Use the where operator to filter if a Boolean field is true or false. For example, using the boolean field "valid":

Filter to keep true: | where valid
Filter to keep false: | where !valid

To filter results in a search query, use "where" as a conditional operator. The where operator must appear as a separate operator distinct from other operators, delimited by the pipe symbol ("|"). In other words, the following construct will not work and will generate a syntax error:

This query will NOT work:

...| parse "seconds=*;" as time where > 5

Instead, separate the where operator from the preceding parse operator like this:

...| parse "seconds=*;" as time | where time > 5

Syntax

... | where <boolean expression> | ...

Rules

The pipe delimiter is required to separate the where operator as a distinct query operator.
The where operator cannot be used inline as a query clause, like "... | extract a where b==something |..."
Multiple where operators are processed in the order they are specified, with each subsequent where operator further filtering results.
Keyword expressions can be used in the boolean expression, such as OR and AND.
If defining a built-in metadata field value in the boolean expression you need to quote the value. If it's not wrapped in quotes the value is interpreted as a field name.
If you are using in or not in to match integers, cast "x" to a number first.
The matches operator can be used in the boolean expression. You can use an RE2 compliant regular expression or use asterisks * as wildcards.
Any operator that returns a boolean value can be used in the boolean expression. Such as compareCIDRPrefix, contains, in, isBlank, isEmpty, isNull, isNumeric, isPrivateIP, isPublicIP, isValidIP, and math expressions.

Examples

... | where a<b
... | where a=x
... | where a>=x
... | where a<=x
... | where a<x
... | where x<10
... | where (x >=10 and x <=20)
... | where x="some string"
... | where _sourceCategory="xyz"
... | where error="fail*"
... | where user<>"root"
... | where x matches "some string"
... | where x matches "fail*"
... | where x matches /regex/
... | where !(x matches /regex/)
... | num(x) | where x in (4, 3, 5)
... | where x in ("error", "fail")
... | where x not in ("error", "fail")
... | where x matches "Android" or x matches "iPhone" or x matches "iPad"

Using the "not" option

If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.

For example:

...| where !(<field xxx> matches "<value yyy>") | ...

or:

...| where !(status matches "200")

Use where to check for null values

For details, see isNull operator.