Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

where command examples

The where command expects a predicate expression. See Predicate expressions in the SPL2 Search Manual.

In most cases you can use the WHERE clause in the from command instead of using the where command separately.

1. Specify wildcards

You can only specify a wildcard with the where command by using the like function. The percent ( % ) symbol is the wildcard you must use with the like function.

In this example, the where command returns search results for values in the ipaddress field that start with 198..

... | where like(ipaddress, "198.%")

The like function supports several syntaxes, see Comparison and Conditional functions.

2. Match IP addresses or a subnet using the where command

Return events that match the IP or is in the specified subnet. This example uses both the like function and the cidrmatch function.

...| where like(src, "10.9.165.%") OR cidrmatch("10.9.165.0/25", dst)

3. Specify a calculation in the where command expression

Return events with a speed is greater than 100.

... | where distance/time > 100


See also

where command
where command overview
where command syntax details
where command usage
Last modified on 10 December, 2020
PREVIOUS
where command usage 		 

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters