Where Operator

Overview

Filter data with where.

| where <boolean expression>

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": time.now(), "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329},
  {"type": "https", "p_event_time": time.now() - 1s, "clientIp": "192.168.1.1", "elbStatusCode": 403, "sentBytes": 167},
  {"type": "https", "p_event_time": time.now() - 10m, "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167},
  {"type": "https", "p_event_time": time.now() - 2d, "clientIp": "10.168.22.1", "elbStatusCode": 200, "sentBytes": 321}
];

Filter for data from within the previous day

Filter data based on a condition:

aws_alb
| where p_event_time > time.ago(1d)

clientIp

elbStatusCode

p_event_time

sentBytes

type

192.168.11.34

200

2024-08-12 18:55:09.673000

329

https

192.168.1.1

403

2024-08-12 18:55:08.673000

167

https

10.168.22.7

404

2024-08-12 18:45:09.673000

167

https

Filter by multiple conditions

Combine conditions with and, or and not. Optionally group expressions with () to change operator precedence:

aws_alb
| where p_event_time > time.ago(1d) and (elbStatusCode == 200 or elbStatusCode == 404)

clientIp

elbStatusCode

p_event_time

sentBytes

type

192.168.11.34

200

2024-08-12 18:56:04.784000

329

https

10.168.22.7

404

2024-08-12 18:46:04.784000

167

https

PreviousVisualize Operator NextPantherFlow Data Types

Last updated 1 month ago