WHERE

The WHERE clause is used to specify a boolean condition that must be satisfied by an input record for that record to be output. Input records that do not satisfy the condition are discarded.

Remarks:

• The expression in a WHERE clause can not reference SQL (aggregate) functions. To specify conditions on values of aggregate functions, use the HAVING clause.

Examples:

A. Simple expression

WHERE EventID = 501

B. Complex expression

WHERE EXTRACT_TOKEN(Strings, 1, '|') LIKE '%logon&' AND
      (   TimeGenerated > SUB( TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP( '10', 'mm' ) )  OR
          SID IS NOT NULL
      )

See also:

Filtering Input Records

© 2004 Microsoft Corporation. All rights reserved.