Skip to content
Legacy docs for Tenzir v5.x. For the latest Tenzir v6 series, visit docs.tenzir.com. Migrating from v5? Read the Tenzir v6 migration guide.

where

Keeps only events for which the given predicate is true.

where predicate:bool

Description

Section titled “Description”

The where operator only keeps events that match the provided predicate and discards all other events. Only events for which it evaluates to true pass.

Examples

Section titled “Examples”

Keep only events where src_ip is 1.2.3.4

Section titled “Keep only events where src_ip is 1.2.3.4”
where src_ip == 1.2.3.4

Use a nested field name and a temporal constraint on the ts field

Section titled “Use a nested field name and a temporal constraint on the ts field”
where id.orig_h == 1.2.3.4 and ts > now() - 1h

Combine subnet, size and duration constraints

Section titled “Combine subnet, size and duration constraints”
where src_ip in 10.10.5.0/25 and (orig_bytes > 1Mi or duration > 30min)

See Also

Section titled “See Also”

Last updated: