where command overview
where command uses <predicate-expressions> to filter search results. A predicate expression, when evaluated, returns either TRUE or FALSE. The
where command only returns the results that evaluate to TRUE.
where command is identical to the
WHERE clause in the from command.
The required syntax is in bold.
- where <predicate-expression>
How the where command works
where command acts as a filter on your search results. The
where command takes the results from your search and removes all of the results that do not match the <predicate-expression> that you specify.
where command, you must specify a <predicate-expression> that evaluates to TRUE. This can include an expression such as
field=value. The following table shows a few examples:
||In this example, |
||The IP address is a string value. All strings must be enclosed in double quotation marks.|
||If the expression references a field name that contains characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character, the field name must be surrounded by single quotation marks.|
||The expression can include a function. This example returns |
In addition to
field=value expressions, you can specify a mathematical expression, concatenation expression, comparison expression, as long as the expression evaluates to TRUE.
For more information about expressions, see Types of expressions and Predicate expressions in the SPL2 Search Manual.
- Other commands
- from command overview
- Overview of SPL2 eval functions
union command examples
where command syntax details
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!