where
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
where
Synopsis
Runs an eval expression to filter the results. The result of the expression must be Boolean.
Syntax
where eval-expression
Functions
The where command includes the following functions: abs(), case(), cidrmatch(), coalesce(), exact(), exp(), floor(), if(), ifnull(), isbool(), isint(), isnotnull(), isnull(), isnum(), isstr(), len(), like(), ln(), log(), lower(), ltrim(), match(), max(), min(), md5(), mvcount(), mvindex(), mvfilter(), now(), null(), nullif(), pi(), pow(), random(), replace(), round(), rtrim(), searchmatch(), sqrt(), substr(), tostring(), trim(), typeof(), upper(), urldecode(), validate().
For descriptions and examples of each function, see "Functions for eval and where".
Description
Keeps only the results for which the evaluation was successful and the boolean result was true.
Examples
Example 1: Return "CheckPoint" events that match the IP or is in the specified subnet.
host="CheckPoint" | where (src LIKE "10.9.165.%") OR cidrmatch("10.9.165.0/25", dst)Example 2: Return "physicjobs" events with a speed is greater than 100.
sourcetype=physicsjobs | where distance/time > 100See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.