NQL where

A where clause allows you to add conditions to your query to filter the results.

Comparing field value to a fixed reference

Compare field value to a fixed reference to filter results that match a specific, unchanging criterion. For example:

• Filter devices with a specific operating system.

• Filter devices with free memory below a specified threshold.

• Filter specific binary versions.

Syntax

...
| where <field name> <comparison operator> <static value>

Examples

Select the devices running the Windows operating system.

devices during past 7d
| where operating_system.platform == Windows

Select the devices not running the Windows operating system.

devices during past 7d
| where operating_system.platform != Windows
| list name, operating_system.platform

Select the users whose name contains “jo”.

users during past 7d
| where username == "*jo*"

Comparing two field values against each other

Compare two field values against each other when you wish to filter results based on a dynamic relationship between fields. Only fields from the same table can be compared against each other.

You can compare the following fields:

• native fields

• context fields

• metrics (aliases) computed in the query

• manual custom fields

Syntax

...
| where <field-a name> <comparison operator> <field-b name>

Examples

Comparing native fields

Identify users which don't use the same peripheral for both the speaker and the microphone.

users
| with collaboration.sessions
| where participant_device.microphone != participant_device.speaker

Comparing a native field with a context field

Filter out events where the device has changed location

connection.events during past 7d
| where destination.country == context.location.country

Comparing native field to computed metric

Identify devices which have not had any Collector activity after an execution crash.

devices during past 7d
| include execution.crashes during past 7d
| compute last_crash_time = time.last()
| where last_crash_time > last_seen

Comparing native field to a manual custom field

Compare the package version to a required compliant version that is stored in a manual custom field.

packages 
| where package.version == package.#required_version

Using multiple conditions

Use multiple filters separated by and or or operators to apply more complex conditions. The conditions in the filter are grouped together to preserve the order of precedence. When you put where clauses on separate lines, the result is the same as if you created one where clause with multiple and conditions.

The following queries provide the exact same results.

devices during past 7d
| where device.entity == "Lausanne" and device.hardware.type == laptop

devices during past 7d
| where device.entity == "Lausanne" 
| where device.hardware.type == laptop