where

Description

Performs a refining search on the retrieved data.

Syntax

where <boolean-condition> | <boolean-function> [AND | OR | NOT <boolean-condition> | <boolean-function>]

Required Arguments

Parameter	Syntax	Description
boolean-condition	<field> > | >= | == | < | <= | != <field> |<value>	Defines a comparison condition. The comparison can be specified as field <-> value or field <-> field.
boolean-function	see functions	Functions that return boolean.

List of available functions:

• cidrmatch
• in
• like
• match
• true
• false
• isbool
• isstr
• isnotnull
• isnull
• isnum

warning

When comparing with null, the result is always false. null == null results in false.

Query Examples

Example 1

... | where user == "Aleksey"

Example 2

... | where bytes >= 8749

Example 3

... | where bytes >= 8749 or ipaddr == "104.182.234.109"

Example 4

... | eval myVal=if(conn_type == "vpn", true(), false())
    | where myVal == false()