Skip to main content
Sumo Logic

filter operator

The filter operator can be used to filter results for an aggregate query.

Use the filter operator to filter the output of a search based on the filtering criteria of a subquery. The filter operator keeps only the records that match the filter criteria, allowing you to restrict search results to the most relevant information.

Syntax

"filter" <fieldname>+ in (<subquery>)
<subquery> ::= (non data-retrieval sumo query )
<fieldname> ::= (name of a field)

 

Caveat 

  • All the fields must be present in the output fields for the subquery.
  • The compare operator and filter operator are not supported in the subquery. 
  • The filter operator can be used instead of the where operator.

Examples

Show all source hosts with outlier violations

_sourceCategory=HttpServers | timeslice 1m | count by _timeslice, _sourceHost | filter _sourcehost in (outlier _count by _sourceHost | where _count_violation > 0)  | transpose row _timeslice column _sourcehost

Show top two source hosts with the most messages

_sourceCategory=HttpServers | timeslice 1m | count by _timeslice, _sourceHost | filter _sourcehost in (sum(_count) by _sourceHost | top 2 _sourceHost by _sum ) | transpose row _timeslice column _sourcehost

Show top three source hosts with most outlier violations

_sourceCategory=HttpServers | timeslice 1m | count by _timeslice, _sourceHost | filter _sourcehost in (outlier _count by _sourceHost | sum(_count_violation) by _sourcehost | top 3 _sourceHost by _sum ) | transpose row _timeslice column _sourcehost

Limitation

The operator can process up to 100,000 data points for a single query. It automatically drops the data points that exceed the limit and issues a warning.