Splunk® Data Stream Processor

Function Reference

DSP 1.2.0 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.

Where

This topic describes how to use the function in the .

Description

The where function uses <boolean-expressions> to filter records. The where function only returns the results that evaluate to true.

Function Input/Output schema

Function Input
collection<record<R>>
This function takes in collections of records with schema R.
Function Output
collection<record<R>>
This function outputs collections of records with schema R.

Syntax

The required syntax is in bold.

where <boolean-expression>

Required arguments

boolean-expression
Syntax: <boolean-expression>
Description: A scalar function that returns a boolean value. See Boolean operators.

Boolean expressions

The order in which Boolean expressions are evaluated with the where function is:

  1. Expressions within parentheses
  2. NOT clauses
  3. AND clauses
  4. OR clauses

SPL2 examples

Examples of common use cases follow. The following examples in this section assume that you are in the SPL View.

When working in the SPL View you can write the function by providing the arguments in the exact order shown in each use case.

1. Filter for records that occur past a specific timestamp

Return records that have a timestamp greater than 1546329600 (Tuesday, 01-Jan-2019 08:00:00 GMT+0000).

...| where timestamp > 1546329600L |...;

2. Filters for records with 400, 401, 403, 404 values in the status field

Return records with 400, 401, 403, or 404 in the custom top-level status field.

... | where status in("400", "401", "403", "404") | ...;

3. Filters out records that are null in the _value field

Returns records where the _value is not null.

...| where _value IS NOT "null" |...;

4. Filters for records that do not match a timestamp rule

The Apply Timestamp Extraction function adds a _rule field to the outgoing data. In order to better organize your data, you can filter for records where _rule is equal to NULL.

...| where map_keys(_rule) IS NULL |...;

5. Filters for records with WinEventLog source_type using a regular expression

Returns records that have the source_type "WinEventLog".

...| where match_regex(source_type, /(?i)WinEventLog/) |...;

6. Filters for records with either syslog source_type or vmstat source_type

Returns records that have either syslog or vmstat as their source_type.

...| where source_type="syslog" OR source_type="vmstat" |...;

7. Returns only records where the source_type field begins with "cisco".

You can only specify a wildcard with the where function by using the like operator. The percent ( % ) symbol is the wildcard you must use with the like operator. The where function returns like=TRUE if the source_type field starts with the value cisco.

...| where like(source_type, "cisco%") |...;
Last modified on 20 April, 2021
Union   Thru

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters