Search Reference





Runs an eval expression to filter the results. The result of the expression must be Boolean.


where <eval-expression>

Required arguments

Syntax: <string>
Description: A combination of values, variables, operators, and functions that represent the value of your destination field.

The syntax of the eval expression is checked before running the search, and an exception will be thrown for an invalid expression.

  • The result of an eval statement is not allowed to be boolean. If Splunk cannot evaluate the expression successfully at search-time for a given event, eval erases the value in the result field.
  • If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.
  • If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count.


The where command includes the following functions: abs, case, ceil, ceiling, cidrmatch, coalesce, commands, exact, exp, floor, if, ifnull, isbool, isint, isnotnull, isnull, isnum, isstr, len, like, ln, log, lower, ltrim, match, max, md5, min, mvappend, mvcount, mvindex, mvfilter, mvjoin, mvrange, mvzip, now, null, nullif, pi, pow, random, relative_time, replace, round, rtrim, searchmatch, sha1, sha256, sha512, sigfig, spath, split, sqrt, strftime, strptime, substr, time, tonumber, tostring, trim, typeof, upper, urldecode, validate..

For descriptions and examples of each function, see "Functions for eval and where".


The where command uses eval expressions to filter search results; it keeps only the results for which the evaluation was successful (that is, the Boolean result was true).

The where command uses the same expression syntax as eval. Also, both commands interpret quoted strings as literals. If the string is not quoted, it is treated as a field. Because of this, you can use where to compare two different fields, which you cannot use search to do.


Example 1: Return "CheckPoint" events that match the IP or is in the specified subnet.

host="CheckPoint" | where like(src, "10.9.165.%") OR cidrmatch("", dst)

Example 2: Return "physicjobs" events with a speed is greater than 100.

sourcetype=physicsjobs | where distance/time > 100

See also

eval, search, regex


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the where command.

This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.0.8 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.2.0 , 6.2.1 , 6.2.2 View the Article History for its revisions.

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!