While early filtering is a good rule of thumb, in this instance remember the "where" command is categorized as a Distributable Streaming search process, so this would also be done at the index level and more importantly can be done BEFORE the final output, so it does not necessarily generate more traffic as Splunk will send it down as well knowing this fact about the "where" command.
But, like I said, and learned from a great teacher I had, that is generally a good rule of thumb to follow 😉
Also, the above about Distributable Streaming goes for: eval, fields, rex, where, etc.
For the curious, here's a great read to understand how searching works wrt different commands:
... View more