NQL where

A where clause allows you to add conditions to your query to filter the results.

Syntax

...
| where <field name> <comparison operator> <field value>

Examples

Select the devices running the Windows operating system.

devices during past 7d
| where operating_system.platform == Windows

Name

Platform

Select the devices not running the Windows operating system.

devices during past 7d
| where operating_system.platform != Windows
| list name, operating_system.platform

Name

Platform

Select the users whose name contains “jo”.

users during past 7d
| where username == "*jo*"

Using multiple conditions

Use multiple filters separated by and or or operators to apply more complex conditions. The conditions in the filter are grouped together to preserve the order of precedence. When you put where clauses on separate lines, the result is the same as if you created one where clause with multiple and conditions.

The following queries provide the exact same results.

devices during past 7d
| where device.entity == "Lausanne" and device.hardware.type == laptop

devices during past 7d
| where device.entity == "Lausanne" 
| where device.hardware.type == laptop

Last updated 4 months ago