Skip to main content
Sumo Logic

2.2 You want to filter results to show only certain messages

Problem

Your keyword search is still too broad; only certain messages are of interest.

Solution

Use the where operator to filter the results of a search. For example, to find URLs containing "search," use

*| parse "GET * " as url 
| where url matches "*search*"

Discussion

The where operator selects log messages that meet specific criteria. In the example, the "*" operator matches all log messages. The parse operator, described in more detail in the next section, extracts a url from each log message. To focus only on the messages we want, we use the where operator and the Boolean expressionurl matches "*search*". Only log messages for which the Boolean expression is true—that is, the extracted url includes search—will appear in the results.