Skip to main content
Sumo Logic

where

Use where to filter if a Boolean field is true or false. For example, using the Boolean field "valid":

  • Filter to keep true: | where valid
  • Filter to keep false: | where !valid

To filter results in a search query, use "where" as a conditional operator. The where operator must appear as a separate operator distinct from other operators, delimited by the pipe symbol ("|"). In other words, the following construct will not work and will generate a syntax error:

This query will NOT work:

...| parse "seconds=*;" as time where > 5

Instead, separate the where operator from the preceding parse operator like this:

...| parse "seconds=*;" as time 
| where time > 5

Syntax:

  • ... | where <Boolean expression> | ...

Rules:

  • The pipe delimiter is required to separate the where operator as a distinct query operator.
  • The where operator cannot be used inline as a query clause, like "... | extract a where b==something |...."
  • * is allowed for string matching (zero or more than one character).
  • Multiple where-expressions are processed in the order they are specified, with each subsequent where operator further filtering results.
  • If you are using "in" or "not in" to match integers, cast "x" to a number first.
  • You can use other operators within the where statement after the pipe, such as OR and AND.

Examples:

  • ... | where a<b | count by _sourceHost
  • ... | where a=x
  • ... | where a>=x
  • ... | where a<=x
  • ... | where a<x
  • ... | where x="some string"
  • ... | where x matches "some string"
  • ... | where x matches "fail*"
  • ... | where x<10
  • ... | where user<>"root"
  • ... | where error="fail*"
  • ... | num(x) | where x in (4, 3, 5) 
  • ... | where x in ("error", "fail")
  • ... | where x not in ("error", "fail")
  • ... | where cs_user_agent matches "Android" or cs_user_agent matches "iPhone" or cs_user_agent matches "iPad"

Using the "not" option

If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.

For example:

...| where !(<field xxx> matches "<value yyy>") | ...

or:

...| where !(status matches "200")

Use where to check for null values

For details, see isNull operator.