Splunk® Cloud Services

SPL2 Search Reference

where command overview

The SPL2 where command uses <predicate-expressions> to filter search results. A predicate expression, when evaluated, returns either TRUE or FALSE. The where command only returns the results that evaluate to TRUE.

The where command is identical to the WHERE clause in the from command.

Syntax

The required syntax is in bold.

where <predicate-expression>

How the SPL2 where command works

The SPL2 where command acts as a filter on your search results. The where command takes the results from your search and removes all of the results that do not match the <predicate-expression> that you specify.

In pipelines
Data that does not match the <predicate-expression> is not sent to the INTO <destination>. The data will either be dropped, or sent to the default destination. For more information:
For Edge Processor, see Partitions in the Use Edge Processor manual.
For Ingest Processor, see Partitions in the Use Ingest Processor manual.

With the where command, you must specify a <predicate-expression> that evaluates to TRUE. This can include an expression such as field=value. The following table shows a few examples:

Example Description
...| where name="maria" In this example, maria is a string literal. All strings must be enclosed in double quotation marks.
...| where ipaddress="198.51.100.1" The IP address is a string value. All strings must be enclosed in double quotation marks.
...| where 'host-name'="buttercup" If the expression references a field name that contains characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character, the field name must be surrounded by single quotation marks.
...| where status in("400", "401", "403", "404") The expression can include a function. This example returns in=TRUE if one of the values in the status field matches one of the values in the list.
$pipeline = | from $source

| where priority="high"
| eval index = "main"
| into $destination

This pipeline example uses a field-value pair expression in the WHERE command.

In addition to field=value expressions, you can specify a mathematical expression, concatenation expression, comparison expression, as long as the expression evaluates to TRUE.

For more information about expressions, see Types of expressions and Predicate expressions in the SPL2 Search Manual.

See also

where command
where command syntax details
where command usage
where command examples
Other commands
from command overview
Functions
Overview of SPL2 eval functions
Last modified on 18 December, 2024
union command examples   where command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters