Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

where command usage

The where command is identical to the WHERE clause in the from command.

Typically you use the where command when you want to filter the result of an aggregation or a lookup.

Using wildcards

You can use wildcards to match characters in string values. With the where command, you must use the like function.

  • Use the percent ( % ) symbol as a wildcard for matching multiple characters
  • Use the underscore ( _ ) character as a wildcard to match a single character

In this example, the where command returns search results for values in the ipaddress field that start with 198.

... | where like(ipaddress, "198.%")

See the like (<str>, <pattern>) function in the list of Comparison and Conditional eval functions.

Comparing two fields

One advantage of the where command is that you can use it to compare two different fields. You cannot do that with the search command. Here are some examples:

Command Example Description
Where

... | where foo=bar

 This search looks for events where the field foo is equal to the field bar.
Where

... | where foo='bar-baz'

 This search looks for events where the field foo is equal to the field bar-baz. Because the field bar-baz contains a character that is not a-z, A-Z, 0-9, or and underscore ( _ ), it must be enclosed in single quotation marks.
Search

search foo=bar

 The search command handles these expressions as a field=value pair. In this example, The bar is interpreted as a string value.
Where

... | where foo="bar"

 This search looks for events where the field foo contains the string value bar.

Predicate expressions

The order in which predicate expressions are evaluated with the where command is:

  1. Expressions within parentheses
  2. NOT clauses
  3. AND clauses
  4. OR clauses

The where command evaluation order is different than the evaluation order used with the search command. The search command evaluates OR clauses before AND clauses.

Functions

You can use a wide range of functions with the where command. See Overview of SPL2 eval functions.

See also

Where command
where command overview
where command syntax details
where command examples
Other commands
search command overview
Last modified on 20 December, 2021
PREVIOUS
where command syntax details 		  NEXT
where command examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters