where
where
LogsFilter records based on a boolean expression.
| where expression | where level == "error" && duration > 1000The where command filters records based on a boolean expression. Only records where the expression evaluates to true are kept. It is commonly used to narrow down results before further processing or visualization.
Parameters
Section titled “Parameters”expression: A boolean condition using fields, operators, values, and functions. Expressions can be simple comparisons or complex logical statements.
Supported Operators
Section titled “Supported Operators”- Comparison:
==,!=,>,<,>=,<=,in(e.g.,status in ["error", "warn"]) - Logical:
&&(and),||(or),!(not) - Parentheses: Use
(and)to group expressions and control precedence.
Supported Functions
Section titled “Supported Functions”The following functions can be used in where expressions:
contains(str, substr): Returns true ifstrcontainssubstr.startsWith(str, prefix): Returns true ifstrstarts withprefix.endsWith(str, suffix): Returns true ifstrends withsuffix.match(str, regex): Returns true ifstrmatches the given regular expression.isNull(x): Returns true ifxis null or undefined.isNotNull(x): Returns true ifxis not null or undefined.
Only these functions are supported in boolean expressions for
where.
Expression Possibilities
Section titled “Expression Possibilities”- Compare fields to values:
level == "error",duration > 1000 - Combine conditions:
status == "error" && duration > 1000 - Use
infor set membership:user in ["alice", "bob"] - Negate conditions:
!(level == "info") - Use parentheses for grouping:
(status == "error" || status == "warn") && duration > 1000 - Boolean literals:
is_active == true - Use functions:
contains(user, "admin"),isNull(message)
Usage Tips
Section titled “Usage Tips”- The
wherecommand can appear anywhere in the pipeline to filter intermediate results. - Multiple
wherecommands can be chained for stepwise filtering. - Supports referencing any field present in the data.
Examples
Section titled “Examples”| where status == "error" && duration > 1000This keeps only records where status is error and duration is greater than 1000.
| where user in ["alice", "bob"]This keeps only records where the user field is either alice or bob.
| where !(level == "info")This excludes records where level is info.
| where (status == "error" || status == "warn") && duration >= 500This keeps records where status is error or warn, and duration is at least 500.
| where contains(user, "admin")This keeps records where the user field contains the substring admin.
| where match(message, `^Error:.*`)This keeps records where the message field matches the regular expression ^Error:.*.
| where isNull(optional_field)This keeps records where optional_field is null or undefined.