NQL where

A where clause allows you to add conditions to your query to filter the results.

Syntax

...
| where <field name> <comparison operator> <field value>

Examples

Select the devices running the Windows operating system.

devices during past 7d
| where operating_system.platform == Windows

Name	Platform
nxt-gcarlisa	Windows
nxt-wmirjam	Windows

Name

Platform

nxt-gcarlisa

Windows

nxt-wmirjam

Windows

Select the devices not running the Windows operating system.

devices during past 7d
| where operating_system.platform != Windows
| list name, operating_system.platform

Name	Platform
nxt-jdoe	macOS
nxt-vlatona	macOS

Name

Platform

nxt-jdoe

macOS

nxt-vlatona

macOS

Select the users whose name contains “jo”.

users during past 7d
| where username == "*jo*"

Name
John Fisher
John Doe

Name

John Fisher

John Doe

Using multiple conditions

Use multiple filters separated by and or or operators to apply more complex conditions. The conditions in the filter are grouped together to preserve the order of precedence. When you put where clauses on separate lines, the result is the same as if you created one where clause with multiple and conditions.

The following queries provide the exact same results.

devices during past 7d
| where device.entity == "Lausanne" and device.hardware.type == laptop

devices during past 7d
| where device.entity == "Lausanne" 
| where device.hardware.type == laptop

Last updated 5 months ago