Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Where

This topic describes how to use the function in the Splunk Data Stream Processor.

Description

The where function uses <boolean-expressions> to filter records. The where function only returns the results that evaluate to true.

Function Input/Output schema

Function Input
collection<record<R>>
This function takes in collections of records with schema R.
Function Output
collection<record<R>>
This function outputs collections of records with schema R.

Syntax

The required syntax is in bold.

where <boolean-expression>

Required arguments

boolean-expression
Syntax: <boolean-expression>
Description: A scalar function that returns a boolean value. See Boolean scalar functions.

Boolean expressions

The order in which Boolean expressions are evaluated with the where function is:

  1. Expressions within parentheses
  2. NOT clauses
  3. AND clauses
  4. OR clauses

SPL2 examples

1. Filter for records that occur past a specific timestamp

Return records that have a timestamp greater than 1546329600 (Tuesday, 01-Jan-2019 08:00:00 GMT+0000). 

...| where timestamp > 1546329600L |...;

2. Filters for records with 400, 401, 403, 404 values in the status field

Return records with 400, 401, 403, or 404 in the custom top-level status field. 

... | where status in("400", "401", "403", "404") | ...;

3. Filters out records that are null in the _value field

Returns records where the _value is not null. 

...| where _value IS NOT "null" |...;

4. Filters for records with WinEventLog source_type using a regular expression

Returns records that have the source_type "WinEventLog". 

...| where match_regex(source_type, /(?i)WinEventLog/) |...;

5. Filters for records with either syslog source_type or vmstat source_type

Returns records that have either syslog or vmstat as their source_type. 

...| where source_type="syslog" OR source_type="vmstat" |...;

6. Returns only records where the source_type field begins with "cisco".

You can only specify a wildcard with the where function by using the like operator. The percent ( % ) symbol is the wildcard you must use with the like operator. The where function returns like=TRUE if the source_type field starts with the value cisco. 

...| where like(source_type, "cisco%") |...;
Last modified on 23 September, 2020
Union   Source functions (Data Sources)

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters