Filters events according to an expression.


where <expression>


The where operator only keeps events that match the provided expression and discards all other events.

Use where to extract the subset of interest of the data. Tenzir's expression language offers various ways to describe the desired data. In particular, expressions work across schemas and thus make it easy to concisely articulate constraints.


The expression to evaluate for each event.


Select all events that contain a field with the value


This expression internally completes to :ip == The type extractor :ip describes all fields of type ip. Use field extractors to only consider a single field:

where src_ip ==

As a slight variation of the above: use a nested field name and a temporal constraint of the field with name ts:

where id.orig_h == and ts > 1 hour ago

Subnets are first-class values:


This expression unfolds to :ip in or :subnet == It means "select all events that contain a field of type ip in the subnet, or a field of type subnet the exactly matches".

Expressions consist of predicates that can be connected with and, or, and not:

where and (orig_bytes > 1 Mi or duration > 30 min)