Where Operator

Overview

Filter data with where.

| where <boolean expression>

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": time.now(), "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329},
  {"type": "https", "p_event_time": time.now() - 1s, "clientIp": "192.168.1.1", "elbStatusCode": 403, "sentBytes": 167},
  {"type": "https", "p_event_time": time.now() - 10m, "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167},
  {"type": "https", "p_event_time": time.now() - 2d, "clientIp": "10.168.22.1", "elbStatusCode": 200, "sentBytes": 321}
];

Filter for data from within the previous day

Filter data based on a condition:

aws_alb
| where p_event_time > time.ago(1d)

EVENT

{ "p_event_time": "2025-03-06 15:03:11.709000", "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329, "type": "https" }

{ "p_event_time": "2025-03-06 15:03:10.709000", "clientIp": "192.168.1.1", "elbStatusCode": 403, "sentBytes": 167, "type": "https" }

{ "p_event_time": "2025-03-06 14:53:11.709000", "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167, "type": "https" }

Filter by multiple conditions

Combine conditions with and, or and not. Optionally group expressions with () to change operator precedence:

aws_alb
| where p_event_time > time.ago(1d) and (elbStatusCode == 200 or elbStatusCode == 404)

EVENT

{ "p_event_time": "2025-03-06 15:05:47.536000", "clientIp": "192.168.11.34", "elbStatusCode": 200, "sentBytes": 329, "type": "https" }

{ "p_event_time": "2025-03-06 14:55:47.536000", "clientIp": "10.168.22.7", "elbStatusCode": 404, "sentBytes": 167, "type": "https" }

PreviousVisualize Operator NextPantherFlow Data Types

Last updated 22 days ago

Was this helpful?