Contribute in GitHub:
Edit online
where operator
Filters a table to the subset of rows that satisfy a predicate.
Alias filter
Syntax
T | where Predicate
Arguments
| Expr | Type | Required | Description |
|---|---|---|---|
| T | Table | ✓ | The tabular input whose records are to be filtered. |
| Predicate | int | A boolean expression over the columns of T. It's evaluated for each row in T |
- T: The tabular input whose records are to be filtered.
- Predicate: A
booleanexpression over the columns of T. It's evaluated for each row in T.
Returns
Rows in T for which Predicate is true.
Notes Null values: all filtering functions return false when compared with null values. You can use special null-aware functions to write queries that handle null values.
Example: Simple comparisons first
This example retrieves events that are no older than 5 minutes, and the name is not null, and does not equal 'Swizzor Botnet Traffic'.
Notice here we are using the alias limit instead of take
events
| project name, original_time=unixtime_milliseconds_todatetime(original_time)
| where original_time > ago(5m)
| where name != 'Swizzor Botnet Traffic' and isnotnull(name)
| limit 5
Results
| name | original_time |
|---|---|
| Session Denied | 2023-01-20 12:39:16.936 |
| Traffic Start | 2023-01-20 12:39:16.936 |
| Traffic Start | 2023-01-20 12:39:16.937 |
| Traffic End | 2023-01-20 12:39:16.937 |
| Traffic End | 2023-01-20 12:39:16.937 |