On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
Where
This topic describes how to use the function in the .
Description
The where function uses <boolean-expressions> to filter records. The where function only returns the results that evaluate to true.
Function Input/Output schema
- Function Input
collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
collection<record<R>>
- This function outputs collections of records with schema R.
Syntax
The required syntax is in bold.
- where <boolean-expression>
Required arguments
- boolean-expression
- Syntax: <boolean-expression>
- Description: A scalar function that returns a boolean value. See Boolean operators.
Boolean expressions
The order in which Boolean expressions are evaluated with the where
function is:
- Expressions within parentheses
- NOT clauses
- AND clauses
- OR clauses
SPL2 examples
Examples of common use cases follow. The following examples in this section assume that you are in the SPL View.
When working in the SPL View you can write the function by providing the arguments in the exact order shown in each use case.
1. Filter for records that occur past a specific timestamp
Return records that have a timestamp greater than 1546329600 (Tuesday, 01-Jan-2019 08:00:00 GMT+0000).
...| where timestamp > 1546329600L |...;
2. Filters for records with 400, 401, 403, 404 values in the status field
Return records with 400, 401, 403, or 404 in the custom top-level status
field.
... | where status in("400", "401", "403", "404") | ...;
3. Filters out records that are null in the _value field
Returns records where the _value
is not null.
...| where _value IS NOT "null" |...;
4. Filters for records that do not match a timestamp rule
The Apply Timestamp Extraction function adds a _rule
field to the outgoing data. In order to better organize your data, you can filter for records where _rule
is equal to NULL.
...| where map_keys(_rule) IS NULL |...;
5. Filters for records with WinEventLog source_type using a regular expression
Returns records that have the source_type "WinEventLog".
...| where match_regex(source_type, /(?i)WinEventLog/) |...;
6. Filters for records with either syslog source_type or vmstat source_type
Returns records that have either syslog or vmstat as their source_type.
...| where source_type="syslog" OR source_type="vmstat" |...;
7. Returns only records where the source_type
field begins with "cisco".
You can only specify a wildcard with the where function by using the like
operator. The percent ( % ) symbol is the wildcard you must use with the like operator. The where function returns like=TRUE if the source_type field starts with the value cisco.
...| where like(source_type, "cisco%") |...;
Union | Thru |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5
Feedback submitted, thanks!