--- id: filter title: filter Search Operator sidebar_label: filter description: Use the filter operator to filter search output based on the filtering criteria of a child query. slug: /help/docs/search/search-query-language/search-operators/filter/ canonical: https://www.sumologic.com/help/docs/search/search-query-language/search-operators/filter/ --- Use the `filter` operator to filter the output of a search based on the filtering criteria of a child query. The `filter` operator keeps only the records that match the filter criteria, allowing you to restrict search results to the most relevant information. ## Syntax `"filter" + in () ::= (non data-retrieval sumo query ) ::= (name of a field)` ### Caveats * Filter operator must follow an aggregate operator. * All the fields must be present in the output fields for the child query. * The compare operator and filter operator are not supported in the child query.  * The filter operator can be used instead of the `where` operator. ### Limitations The operator can process up to 100,000 data points for a single query. It automatically drops the data points that exceed the limit and issues a warning.  ## Examples ### Show all source hosts with outlier violations ```sumo _sourceCategory=HttpServers | timeslice 1m | count by _timeslice, _sourceHost | filter _sourceHost in (outlier _count by _sourceHost | where _count_violation > 0) | transpose row _timeslice column _sourceHost ``` ### Show top two source hosts with the most messages ```sumo _sourceCategory=HttpServers | timeslice 1m | count by _timeslice, _sourceHost | filter _sourceHost in (sum(_count) by _sourceHost | top 2 _sourceHost by _sum ) | transpose row _timeslice column _sourceHost ``` ### Show top three source hosts with most outlier violations ```sumo _sourceCategory=HttpServers | timeslice 1m | count by _timeslice, _sourceHost | filter _sourceHost in (outlier _count by _sourceHost | sum(_count_violation) by _sourceHost | top 3 _sourceHost by _sum ) | transpose row _timeslice column _sourceHost ```