filter

Description

The filter command removes all documents that do not satisfy a specified condition. Only events for which the condition evaluates to true are retained in the result set.

This command forms the foundation of most queries—it defines which data should be kept for further transformation or aggregation. Filters can be simple comparisons or complex logical expressions involving multiple conditions and functions.

note

When comparing keypaths to null, the comparison only works on scalar values (string, number, timestamp, etc.). For nested JSON objects, comparisons with null will always return null.

Syntax

(f|filter|where) <condition-expression>

Example

Use case: Keep only server errors (HTTP 5xx)

You can use filter to include only events matching a specific numeric range, string pattern, or complex condition. In this example, we filter log documents to show only those where the http_status_code indicates a server error.

Example data

{ "http_status_code": 502, "path": "/api/login" },
{ "http_status_code": 404, "path": "/api/home" },
{ "http_status_code": 503, "path": "/api/checkout" }

Example query

filter http_status_code > 500

Example output

{ "http_status_code": 502, "path": "/api/login" },
{ "http_status_code": 503, "path": "/api/checkout" }

The filter command keeps only the documents that meet the specified condition—in this case, HTTP status codes greater than 500.

Aliases f and where can be used interchangeably:

• f http_status_code > 500
• where http_status_code > 500