Where Operator

Overview

Filter data with where.

| where <boolean expression>

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": time.now(), "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329},
  {"type": "https", "p_event_time": time.now() - 5m, "clientIp": "192.168.1.1", "elbStatusCode": 403, "sentBytes": 167},
  {"type": "https", "p_event_time": time.now() - 10m, "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167},
  {"type": "https", "p_event_time": time.now() - 15m, "clientIp": "10.168.22.1", "elbStatusCode": 200, "sentBytes": 321}
];

Find data from the previous day

Filter data based on a condition:

aws_alb
| where p_event_time > time.ago(1d)

clientIp	elbStatusCode	p_event_time	sentBytes	type
192.168.11.34	200	2024-08-12 18:55:09.673000	329	https
192.168.1.1	403	2024-08-12 18:50:09.673000	167	https
10.168.22.7	404	2024-08-12 18:45:09.673000	167	https
10.168.22.1	200	2024-08-12 18:40:09.673000	321	https

Example 2

Combine conditions with and, or and not. Optionally group expressions with () to change operator precedence:

aws_alb
| where p_event_time > time.ago(1d) and (elbStatusCode == 200 or elbStatusCode == 404)

clientIp	elbStatusCode	p_event_time	sentBytes	type
192.168.11.34	200	2024-08-12 18:56:04.784000	329	https
10.168.22.7	404	2024-08-12 18:46:04.784000	167	https
10.168.22.1	200	2024-08-12 18:41:04.784000	321	https

PreviousUnion Operator NextPantherFlow Data Types

Last updated 2 months ago