Skip to main content
Version: 5.2

where

Description

Performs a refining search on the retrieved data.

Syntax

where <boolean-condition> | <boolean-function> [AND | OR | NOT <boolean-condition> | <boolean-function>]

Required Arguments

ParameterSyntaxDescription
boolean-condition<field> > | >= | == | < | <= | != <field> |<value>Defines a comparison condition. The comparison can be specified as field <-> value or field <-> field.
boolean-functionsee functionsFunctions that return boolean.

List of available functions:

warning

When comparing with null, the result is always false. null == null results in false.

Query Examples

Example 1

Filtering events where the username user exactly matches the value Aleksey.

Example 1
... | where user == "Aleksey"

Example 2

Filtering events where the data volume bytes is greater than or equal to 8749 bytes.

Example 2
... | where bytes >= 8749

Example 3

Filtering events where the data volume bytes is greater than or equal to 8749 bytes OR the IP address ipaddr equals 104.182.234.109.

Example 3
... | where bytes >= 8749 or ipaddr == "104.182.234.109"

Example 4

Creating a boolean flag myVal to check the connection type conn_type and filtering events where the connection is not vpn.

Example 4
... | eval myVal=if(conn_type == "vpn", true(), false())
    | where myVal == false()

Example 5

Example №5
... | where (winlog.computer_name == "VLG-WEB01" or source.host != "WS-SMITH") and isnotnull(event.type)

Sample input data:

winlog.computer_namesource.hostevent.type
VLG-WEB01WS-SMITHstart
SRV-DB01WS-DAWSONchange
VLG-WEB01SRV-APP01null
SRV-WEB02WS-JONHend

The query execution result may be the following table:

winlog.computer_namesource.hostevent.type
VLG-WEB01WS-SMITHstart
SRV-WEB02WS-JONHend

Example 6

Filtering events where the HTTP response response has client or server error codes AND the destination address is within the 192.168.12.0/24 subnet. The like function uses a pattern with the % symbol to find strings starting with the specified digit. The cidrmatch function checks if the destination IP address matches the given CIDR subnet.

... | where like(response, "4%") OR like(response, "5%") AND cidrmatch("190.100.10.0/24", destination)

Sample input data:

destinationresponse
190.100.10.10200
190.100.10.2404
190.100.10.22500
10.0.0.5403
190.100.10.25503

The query execution result may be the following table:

destinationresponse
190.100.10.2404
190.100.10.22500
190.100.10.25503

Example 7

Expanding multivalue fields followed by searching and counting events for each value from the expanded fields.

In this example, the system performs sequential data processing to analyze products in orders. First, the stats command aggregates unique product values in orders into a multivalue field order_items for each event.

source orders-*
| stats values(order.items) as order_items

Then, mvexpand expands the multivalue field, creating a separate event for each product.

| mvexpand order_items

Next, the map command with the maxsearches=30 parameter executes a subquery, filtering the results by the product name item.name that matches the current order_items value.

| map maxsearches = 30 [source items-* qsize=1000 | where item.name == $order_items$]

Finally, the system aggregates the data, counting the occurrences of each product by the item.name field. The full code is shown below:

Example №7
source orders-*
| stats values(order.items) as order_items
| mvexpand order_items
| map maxsearches = 30 [source items-* qsize=1000 | where item.name == $order_items$]
| stats count by item.name

Sample input data in the orders-* source:

order.iduserorder.items
1smith["iFruit", "Binco T-Shirt"]
2dawson["Binco T-Shirt", "Crowlex"]
3wright["iFruit"]

Sample input data in the items-* source:

item.iditem.nameitem.category
1iFruitelectronics
2Binco T-Shirtclothing
3Crowlexaccessories

The query execution result may be the following table:

item.namecount
iFruit2
Binco T-Shirt2
Crowlex1