where()

where(filter) returns every row from the input stream except those that don't pass filter.

filter is specified using the standard query syntax.

Returns

The same table as the input, less rows that fail to pass filter. Note that this can result in zero rows.

Examples

# Returns only servers where the greatest elapsed time is at least 10 seconds
* | stats max(elapsed_ms) as elapsed_ms by hostname | where elapsed_ms > 10000

Previousvar()NextDetection Rules

Last updated 8 months ago