Skip to content

where.md

Latest commit

 

History

History
154 lines (115 loc) · 4.32 KB

where.md

File metadata and controls

154 lines (115 loc) · 4.32 KB
id title sidebar_label
where
where Search Operator
where

The where operator allows you to filter results based on a boolean expression.

For example, using where with the boolean operator isValidIP:

  • Filters as true and returns results: 
    | where isValidIP("192.168.0.10")
  • Checking my PR: 
    _collector="ABC1" | where type="web"
    _collector="ABC7" | where type="web"
  • Filters as false and will not return results: 
    | where !isValidIP("192.168.0.10")

The where operator must appear as a separate operator distinct from other operators, delimited by the pipe symbol (|). In other words, the following construct will not work and will generate a syntax error:

This query will NOT work:

...| parse "seconds=*;" as time where > 5

Instead, separate the where operator from the preceding parse operator like this:

...| parse "seconds=*;" as time  | where time > 5

Syntax

... | where <boolean expression> | ...

Rules

  • The pipe delimiter is required to separate the where operator as a distinct query operator.
  • The where operator cannot be used inline as a query clause, like "... | extract a where b==something |..."
  • You must use the matches syntax with the where operator when using wildcards *.
  • Multiple where operators are processed in the order they are specified, with each subsequent where operator further filtering results.
  • Keyword expressions can be used in the boolean expression, such as OR and AND.
  • If defining a built-in metadata field value in the boolean expression you need to quote the value. If it is not wrapped in quotes the value is interpreted as a field name.
  • If you're using in or not in to match integers, cast "x" to a number first.
  • The matches operator can be used in the boolean expression. You can use an RE2 compliant regular expression or use asterisks * as wildcards.
  • Any operator that returns a boolean value can be used in the boolean expression, such as compareCIDRPrefixcontainsinisBlank, isEmpty, isNull, isNumericisPrivateIPisPublicIPisValidIP, and math expressions.

:::note Use comparison operators to produce boolean values. :::

Example

... | where a<b
... | where a=x
... | where a>=x
... | where a<=x
... | where a<x
... | where x<10
... | where (x >=10 and x <=20)
... | where x="some string"
... | where _sourceCategory="xyz"
... | where user<>"root"
... | where x matches "some string"
... | where x matches "fail*"
... | where x matches /regex/
... | where !(x matches /regex/)
... | num(x) | where x in (4, 3, 5)
... | where x in ("error", "fail")
... | where x not in ("error", "fail")
... | where x matches "Android" or x matches "iPhone" or x matches "iPad"

Using the "not" option

If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.

For example:

...| where !(<field xxx> matches "<value yyy>") | ...

or:

...| where !(status matches "200")

Use where to check for null values

For details, see the isNull operator.