where()

where(filter) returns every row from the input stream except those that don't pass filter.

filter is specified using the standard query syntax.

Note: where does not use scalar functions and operators. E.g. * | where foo will match all rows that contain the string token foo, not all rows where the column foo resolves to true.

Returns

The same table as the input, less rows that fail to pass filter. Note that this can result in zero rows.

Examples

# Returns only servers where the greatest elapsed time is at least 10 seconds
* | stats max(elapsed_ms) as elapsed_ms by hostname | where elapsed_ms > 10000

Previousvar()NextDetection Rules

Last updated 1 month ago

Was this helpful?