elasticsearch/docs/reference/esql/processing-commands/where.asciidoc

[discrete]
[[esql-where]]
=== `WHERE`

The `WHERE` processing command produces a table that contains all the rows from
the input table for which the provided condition evaluates to `true`.

[TIP]
====
In case of value exclusions, fields with `null` values will be excluded from search results. 
In this context a `null` means either there is an explicit `null` value in the document or there is no value at all.
For example: `WHERE field != "value"` will be interpreted as `WHERE field != "value" AND field IS NOT NULL`.
====

**Syntax**

[source,esql]
----
WHERE expression
----

*Parameters*

`expression`::
A boolean expression.

*Examples*

[source,esql]
----
include::{esql-specs}/docs.csv-spec[tag=where]
----

Which, if `still_hired` is a boolean field, can be simplified to:

[source,esql]
----
include::{esql-specs}/docs.csv-spec[tag=whereBoolean]
----

Use date math to retrieve data from a specific time range. For example, to
retrieve the last hour of logs:

[source,esql]
----
include::{esql-specs}/date.csv-spec[tag=docsNowWhere]
----

`WHERE` supports various <<esql-functions,functions>>. For example the
<<esql-length>> function:

[source,esql]
----
include::{esql-specs}/docs.csv-spec[tag=whereFunction]
----

For a complete list of all functions, refer to <<esql-functions>>.

include::../functions/predicates.asciidoc[tag=body]

include::../functions/like.asciidoc[tag=body]

include::../functions/rlike.asciidoc[tag=body]

include::../functions/in.asciidoc[tag=body]

For a complete list of all operators, refer to <<esql-operators>>.