Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

where command usage

The where command is identical to the WHERE clause in the from command.

Typically you use the where command when you want to filter the result of an aggregation or a lookup.

Using wildcards

You can use wildcards to match characters in string values. With the where command, you must use the like function.

  • Use the percent ( % ) symbol as a wildcard for matching multiple characters
  • Use the underscore ( _ ) character as a wildcard to match a single character

In this example, the where command returns search results for values in the ipaddress field that start with 198.

... | where like(ipaddress, "198.%")

See the like (<str>, <pattern>) function in the list of Comparison and Conditional eval functions.

Comparing two fields

One advantage of the where command is that you can use it to compare two different fields. You cannot do that with the search command. Here are some examples:

Command Example Description
Where

... | where IPAddress=clientip

This search looks for events where the field IPAddress is equal to the field clientip.
Where

... | where clientip='ip-address'

This search looks for events where the field clientip is equal to the field ip-address. Because the field ip-address contains a character that is not a-z, A-Z, 0-9, or and underscore ( _ ), it must be enclosed in single quotation marks.
Search

search hostname=host

The search command handles these expressions as a field=value pair. In this example, The host is interpreted as a string value.
Where

... | where clientip="192.0.2.0"

This search looks for events where the field client contains the string value 192.0.2.0.

Predicate expressions

When you specify multiple predicate expressions, you must separate each expression with a logical operator.

The where command evaluation order is different than the evaluation order used with the search command. The search command evaluates OR clauses before AND clauses.

The order in which predicate expressions are evaluated with the where command is:

  1. Expressions within parentheses
  2. NOT clauses
  3. AND clauses
  4. OR clauses

Functions

You can use a wide range of functions with the where command. See Overview of SPL2 eval functions.

See also

Where command
where command overview
where command syntax details
where command examples
Other commands
search command overview
Last modified on 26 September, 2023
PREVIOUS
where command syntax details
  NEXT
where command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters