where Search Operator
The where operator allows you to filter results based on a boolean expression.
For example, using where with the boolean operator isValidIP:
- Filters as true and returns results:
| where isValidIP("192.168.0.10") - Filters as false and will not return results:
| where !isValidIP("192.168.0.10")
The where operator must appear as a separate operator distinct from other operators, delimited by the pipe symbol (|). In other words, the following construct will not work and will generate a syntax error:
This query will NOT work:
...| parse "seconds=*;" as time where > 5
Instead, separate the where operator from the preceding parse operator like this:
...| parse "seconds=*;" as time | where time\> 5
Syntax
... | where <boolean expression> | ...
Rules
- The pipe delimiter is required to separate the
whereoperator as a distinct query operator. - The
whereoperator can't be used inline as a query clause, like "... | extract a where b==something |..." - You must use the
matchessyntax with thewhereoperator when using wildcards*. - Multiple
whereoperators are processed in the order they are specified, with each subsequentwhereoperator further filtering results. - Keyword expressions can be used in the boolean expression, such as OR and AND.
- If defining a built-in metadata field value in the boolean expression you need to quote the value. If it is not wrapped in quotes the value is interpreted as a field name.
- If you're using
inor not in to match integers, cast "x" to a number first. - The
matchesoperator can be used in the boolean expression. You can use an RE2 compliant regular expression or use asterisks*as wildcards. - Any operator that returns a boolean value can be used in the boolean expression, such as compareCIDRPrefix,
contains,in,isBlank,isEmpty,isNull,isNumeric,isPrivateIP,isPublicIP,isValidIP, and math expressions.
note
Use comparison operators to produce boolean values.
Example
... | where a<b
... | where a=x
... | where a>=x
... | where a<=x
... | where a<x
... | where x<10
... | where (x >=10 and x <=20)
... | where x="some string"
... | where _sourceCategory="xyz"
... | where user<>"root"
... | where x matches "some string"
... | where x matches "fail*"
... | where x matches /regex/
... | where !(x matches /regex/)
... | num(x) | where x in (4, 3, 5)
... | where x in ("error", "fail")
... | where x not in ("error", "fail")
... | where x matches "Android" or x matches "iPhone" or x matches "iPad"
Using the "not" option
If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.
For example:
...| where !(<field xxx> matches "<value yyy>") | ...
or:
...| where !(status matches "200")
Use where to check for null values
For details, see the isNull operator.