where
where
Synopsis
Runs an eval expression to filter the results. The result of the expression must be Boolean.
Syntax
where <eval-expression>
Functions
The where command includes the following functions: abs(), case(), ceil(), ceiling(), cidrmatch(), coalesce(), commands(), exact(), exp(), floor(), if(), ifnull(), isbool(), isint(), isnotnull(), isnull(), isnum(), isstr(), len(), like(), ln(), log(), lower(), ltrim(), match(), max(), md5(), min(), mvappend(), mvcount(), mvindex(), mvfilter(), mvjoin(), now(), null(), nullif(), pi(), pow(), random(), relative_time(), replace(), round(), rtrim(), searchmatch(), split(), sqrt(), strftime(), strptime(), substr(), time(), tonumber(), tostring(), trim(), typeof(), upper(), urldecode(), validate().
For descriptions and examples of each function, see "Functions for eval and where".
Description
The where command uses eval expressions to filter search results; it keeps only the results for which the evaluation was successful (that is, the Boolean result was true).
The where command uses the same expression syntax as eval. Also, both commands interpret quoted strings as literals. If the string is not quoted, it is treated as a field. Because of this, you can use where to compare two different fields, which you cannot use search to do.
Examples
Example 1: Return "CheckPoint" events that match the IP or is in the specified subnet.
host="CheckPoint" | where like(src, "10.9.165.%") OR cidrmatch("10.9.165.0/25", dst)Example 2: Return "physicjobs" events with a speed is greater than 100.
sourcetype=physicsjobs | where distance/time > 100See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the where command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.