where

The where operator displays events that match criteria specified in a "where" expression. Where expressions act as filters to return only those results that fulfill a particular condition. In fact, filter is a synonym of the operator where. Results for where expressions are binary, satisfying either true or false.

Syntax
How Do I Use This?

Syntax

... | where <expression>

where:

The where operator represents the filter you want to use us on a field.
The expression field represents a valid field-based query expression. Arithmetic expressions or functions are not supported.
For where any … contains queries, all fields are executed, but only results for alpha (letter) IDs are displayed. For example, results for the ID “HostName” display, but results for the ID CEID-3631 will not display, even though the field is executed.
Avoid renaming fields used implicitly in previous where any expressions.

Do not use:

|where any category is not null |rename category behavior as test

Instead use:

|where any category is not null |eval test=tostring(category behavior)

where:

The category behavior field is used implicitly in the where any expression when category is used.
You can specify multiple field conditions in one query expression by using the listed operators between them. The conditions can also be nested. For example:

(name="John Doe" OR name="Jane Smith")AND message!="success"

Aliases that contain special characters have the following syntax restrictions:

Special Characters	Restrictions	Examples
@, #, +, ?, /, ^, [], {}, _ , *, ., ~, $, %	Do need to be enclosed in single/double quotes when they are reused and the search works as expected.	\| rename source address as 'source@' \| where source@ <> null
&, !, - , =, < , >, \|	Need to be enclosed in single/double quotes when they are reused and the search works as expected.	\| rename source address as 'source&' \| where 'source&' <> null
\	When a backslash is used in an alias name, add an additional backslash \ to escape the character. It does not need to be enclosed in single/double quotes when it is reused and the search runs as expected. The outcome field name should show only one backslash.	\| rename source address as 'source\\' \| where source\\ <> null

Special Characters

Restrictions

Examples

@, #, +, ?, /, ^, [], {}, _ , *, ., ~, $, %

Do need to be enclosed in single/double quotes when they are reused and the search works as expected.

| rename source address as 'source@' | where source@ <> null

&, !, - , =, < , >, |

Need to be enclosed in single/double quotes when they are reused and the search works as expected.

| rename source address as 'source&' | where 'source&' <> null

When a backslash is used in an alias name, add an additional backslash \ to escape the character. It does not need to be enclosed in single/double quotes when it is reused and the search runs as expected.

The outcome field name should show only one backslash.

| rename source address as 'source\\' | where source\\ <> null

How Do I Use This?

... | where eventId is NULL

... | where eventId=10006093313 OR deviceVersion CONTAINS “4.0.6.4924.1”

... | where eventId >=10005985569 OR categories= “/Agent/Started”

For information about other operators, functions, and syntax requirements, see Use an Operator in the Query.