Where limits the result set
Search Table for data generated since a 1 hour ago
Perf
| where TimeGenerated >= ago(1h)
ago allows you to select relative date ranges
- d – days
- h – hours
- m – minutes
- s – seconds
- ms – milliseconds
- microsecond – microseconds
Combine where with AND statement
Perf
| where TimeGenerated >= ago(1h)
and CounterName == "Bytes Received/sec"
and CounterValue > 0
Combine where with OR statement
Perf
| where TimeGenerated >= ago(1h)
and (CounterName == "Bytes Received/sec"
or
CounterName == "% Processor Time"
)
and CounterValue > 0
Stacking where operators (useful for in between processing (if/else etc.)
Perf
| where TimeGenerated >= ago(1h)
| where (CounterName == "Bytes Received/sec"
or
CounterName == "% Processor Time"
)
| where CounterValue > 0
Simulate search with where command
//Search any column for string containing Bytes
Perf
| where * has "Bytes"
//Search any column that starts with the string BytesPerf
| where * hasprefix "Bytes"
//Search any column that ends with the string BytesPerf
| where * hassuffix "Bytes"
//Search any column that contains with the string BytesPerf
| where * contains "Bytes"
//Search any string in a column using regexPerf
| where InstanceName matches regex "[A-Z]:"
RootSecurity 