where
Description
Section titled “Description”The where command filters search results to only those rows where the specified boolean expression evaluates to true. It is the primary filtering command in PPL and can appear anywhere in the pipeline after the search (or source=) command.
where supports all comparison operators, logical operators, pattern matching with LIKE, set membership with IN, range checks with BETWEEN, null testing with IS NULL / IS NOT NULL, and nested conditions with parentheses. You can also use built-in functions and eval expressions inline within the boolean expression.
Syntax
Section titled “Syntax”where <boolean-expression>Arguments
Section titled “Arguments”| Argument | Required | Description |
|---|---|---|
<boolean-expression> | Yes | The condition used to filter results. Only rows where this evaluates to true are returned. |
Supported operators
Section titled “Supported operators”| Category | Operators |
|---|---|
| Comparison | =, !=, <>, >, <, >=, <= |
| Logical | AND, OR, NOT |
| Pattern matching | LIKE(field, pattern) - % matches zero or more characters, _ matches exactly one character |
| Set membership | IN (value1, value2, ...) |
| Range | BETWEEN value1 AND value2 |
| Null testing | IS NULL, IS NOT NULL, ISNULL(field), ISNOTNULL(field) |
| Grouping | Parentheses ( ) for controlling evaluation order |
Usage notes
Section titled “Usage notes”- Multiple where commands: You can chain multiple
wherecommands in a single pipeline. Each successivewherefurther narrows the result set, equivalent to combining them withAND. - Eval expressions inline: You can use functions and expressions directly in the boolean condition (e.g.,
where length(body) > 100orwhere LIKE(body, '%timeout%')). - Null handling: Comparisons with
nullvalues follow SQL semantics - a comparison involvingnullevaluates tonull(nottrueorfalse), so the row is excluded. UseIS NULLorISNULL()to explicitly test for null values. - String values: Enclose string literals in single quotes (
'value'). Double quotes are used for field names that contain special characters. - Backtick field names: OTel fields with dots in their names (e.g.,
resource.attributes.service.name) must be enclosed in backticks to prevent them from being interpreted as nested field access. - Performance: Filters applied earlier in the pipeline reduce the amount of data processed by subsequent commands. Place your most selective
whereconditions as early as possible. - vs. search expression: The
searchcommand also supports inline boolean expressions, butwhereis more flexible - it supports functions,LIKE,BETWEEN, and computed expressions thatsearchdoes not.
Basic examples
Section titled “Basic examples”Simple comparison
Section titled “Simple comparison”Return log entries with a severity number greater than 9 (above DEBUG level):
source=logs-otel-v1*| where severityNumber > 9| head 20Combine conditions with AND / OR
Section titled “Combine conditions with AND / OR”Return error logs from the checkout service:
source=logs-otel-v1*| where severityText = 'ERROR' AND `resource.attributes.service.name` = 'checkout'| head 20Return logs that are either errors or from the payment service:
source=logs-otel-v1*| where severityText = 'ERROR' OR `resource.attributes.service.name` = 'payment'| head 20Pattern matching with LIKE
Section titled “Pattern matching with LIKE”Find logs whose body contains the word connection:
source=logs-otel-v1*| where LIKE(body, '%connection%')| head 20Find service names starting with product-:
source=logs-otel-v1*| where LIKE(`resource.attributes.service.name`, 'product-%')| head 20Set membership with IN
Section titled “Set membership with IN”Return logs matching specific severity levels:
source=logs-otel-v1*| where severityText IN ('ERROR', 'WARN', 'FATAL')| head 20Filter by numeric range
Section titled “Filter by numeric range”Return logs with severity numbers in the error range (17 through 21) using BETWEEN:
source = logs-otel-v1*| where severityNumber BETWEEN 17 AND 21| stats count() as logs by severityTextNull testing
Section titled “Null testing”Find log entries where the trace ID is empty (logs not correlated to a trace):
source=logs-otel-v1*| where traceId = ''| head 20Find log entries that have a span ID (logs correlated to a specific span):
source=logs-otel-v1*| where ISNOTNULL(spanId)| head 20Grouped conditions
Section titled “Grouped conditions”Combine multiple conditions with parentheses to control evaluation order:
source=logs-otel-v1*| where (severityText = 'ERROR' OR severityText = 'FATAL') AND `resource.attributes.service.name` = 'weather-agent'| head 20Extended examples
Section titled “Extended examples”Filter error logs by service
Section titled “Filter error logs by service”Find ERROR and FATAL logs from the weather agent service. This is a common starting point for incident triage.
source=logs-otel-v1*| where severityText = 'ERROR' OR severityText = 'FATAL'| where `resource.attributes.service.name` = 'weather-agent'| head 50Compound GenAI attribute filter
Section titled “Compound GenAI attribute filter”Filter logs for a specific GenAI agent operation, useful for investigating AI agent invocation failures or high-latency completions.
source=logs-otel-v1*| where `attributes.gen_ai.operation.name` = 'invoke_agent'| where `resource.attributes.service.name` = 'weather-agent'| where severityNumber >= 17| head 20Filter logs containing a keyword pattern
Section titled “Filter logs containing a keyword pattern”Find logs whose body contains the word “timeout” using LIKE with wildcard characters:
source=logs-otel-v1*| where LIKE(body, '%timeout%')| head 20See also
Section titled “See also”search- The starting point of every PPL query, also supports inline boolean expressionsfields- Select or exclude specific fields from the output- PPL Commands - Full command reference