Filters (i.e. narrows) the complex search results to display only those column values that meet specific criteria.
where [SEARCH QUERY on column results]
SEARCH QUERY on column results
Syntax: A search query (simple or complex)
Description: Runs a search query on the complex search summary table, to extract and display values that meet specific criteria.
Filters the summary table resulting from a complex search, to extract and display only those values that meet specific criteria defined in the "where" search query. The "where" search query can be built using the simple search syntax (see Performing a Simple Search) or complex search syntax (see Complex Search Syntax Reference).
in log.access log | count | group by status | order by count desc | where count < 500
Shows only those statuses in the summary table which have less than 500 events.