where

Syntax

• ... | where <boolean expression> | ...

Rules

• The pipe delimiter is required to separate the where operator as a distinct query operator.
• The where operator cannot be used inline as a query clause, like "... | extract a where b==something |...."
• Multiple where-expressions are processed in the order they are specified, with each subsequent where operator further filtering results.
• You can use other operators within the where statement after the pipe, such as OR and AND.
• If you are using in or not in to match integers, cast "x" to a number first.
• The matches operator can be used in the boolean expression. You can use an RE2 compliant regular expression or use asterisks * as wildcards.

Examples

• ... | where a<b 
• ... | where a=x
• ... | where a>=x
• ... | where a<=x
• ... | where a<x
• ... | where x<10
• ... | where x="some string"
• ... | where error="fail*"
• ... | where user<>"root"
• ... | where x matches "some string"
• ... | where x matches "fail*"
• ... | where x matches /regex/
• ... | where !(x matches /regex/)
• ... | num(x) | where x in (4, 3, 5) 
• ... | where x in ("error", "fail")
• ... | where x not in ("error", "fail")
• ... | where x matches "Android" or x matches "iPhone" or x matches "iPad"

Using the "not" option

If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.

For example:

...| where !(<field xxx> matches "<value yyy>") | ...

or:

...| where !(status matches "200")

Use where to check for null values

For details, see isNull operator.