Related Answers
Download topic as PDF
where
Description
The where command uses eval-expressions to filter search results. These eval-expressions must be Boolean expressions, where the expression returns either true or false. The where command returns only the results for which the eval expression returns true.
Syntax
where <eval-expression>
Required arguments
- eval-expression
- Syntax: <eval-mathematical-expression> | <eval-concatenate-expression> | <eval-comparison-expression> | <eval-boolean-expression> | <eval-function-call>
- Description: A combination of values, variables, operators, and functions that represent the value of your destination field. See Usage.
- The syntax of the eval expression is checked before running the search, and an exception is thrown for an invalid expression.
- The following table describes characteristics of eval expressions that require special handling.
Expression characteristics Description Example Field names starting with numeric characters If the expression references a field name that starts with a numeric character, the field name must be surrounded by single quotation marks. '5minutes'="late"
This expression is a field name equal to a string value. Because the field starts with a numeric it must be enclosed in single quotations. Because the value is a string, it must be enclosed in double quotations.Field names with non-alphanumeric characters If the expression references a field name that contains non-alphanumeric characters, the field name must be surrounded by single quotation marks. new=count+'server-1'
This expression could be interpreted as a mathematical equation, where the dash is interpreted as a minus sign. To avoid this, you must enclose the field nameserver-1in single quotation marks.Literal strings If the expression references a literal string, the literal string must be surrounded by double quotation marks. new="server-"+count
There are two issues with this example. First,server-could be interpreted as a field name or as part of a mathematical equation, that uses a minus sign and a plus sign. To ensure thatserver-is interpreted as a literal string, enclose the string in double quotation marks.
Usage
The where command is a distributable streaming command. See Command types.
The where command uses the same expression syntax as the eval command. Also, both commands interpret quoted strings as literals. If the string is not quoted, it is treated as a field name. Because of this, you can use the where command to compare two different fields, which you cannot use the search command to do.
| Command | Example | Description |
|---|---|---|
| Where |
|
This search looks for events where the field foo is equal to the field bar.
|
| Search |
|
This search looks for events where the field foo contains the string value bar.
|
| Where |
|
This search looks for events where the field foo contains the string value bar.
|
Boolean expressions
The order in which Boolean expressions are evaluated with the where command is:
- Expressions within parentheses
- NOT clauses
- AND clauses
- OR clauses
This evaluation order is different than the order used with the search command. The search command evaluates OR clauses before AND clauses.
Functions
You can use a wide range of functions with the where command. For general information about using functions, see Evaluation functions.
The following table lists the supported functions by type of function. Use the links in the table to learn more about each function, and to see examples.
| Type of function | Supported functions and syntax | ||
|---|---|---|---|
| Comparison and Conditional functions | case(X,"Y",...)
|
in(VALUE-LIST)
|
nullif(X,Y)
|
| Conversion functions | printf("format",arguments) |
tonumber(NUMSTR,BASE) |
tostring(X,Y) |
| Cryptographic functions | md5(X)
|
sha256(X) |
sha512(X) |
| Date and Time functions | now()
|
strftime(X,Y)
|
time() |
| Informational functions | isbool(X)
|
isnull(X)
|
isstr(X)
|
| Mathematical functions | abs(X)
|
floor(X)
|
pow(X,Y)
|
| Multivalue eval functions | commands(X)
|
mvfilter(X)
|
mvrange(X,Y,Z)
|
| Statistical eval functions | max(X,...) |
min(X,...) |
random() |
| Text functions | len(X)
|
rtrim(X,Y)
|
trim(X,Y)
|
| Trigonometry and Hyperbolic functions | acos(X)
|
atan2(X,Y)
|
sin(X)
|
Examples
1. Use the where command to match IP addresses or a subnet
Return "CheckPoint" events that match the IP or is in the specified subnet.
host="CheckPoint" | where like(src, "10.9.165.%") OR cidrmatch("10.9.165.0/25", dst)
2. Use the where command to specify a calculation
Return "physicsjobs" events with a speed is greater than 100.
sourcetype=physicsjobs | where distance/time > 100
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the where command.
|
PREVIOUS untable |
NEXT x11 |
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.8, 7.2.1, 7.2.0, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.1.7, 7.3.0, 7.3.1
Comments
"The result of the eval expression cannot be boolean" but both examples have where-arguments that are Boolean! (example 2 is "sourcetype=physicsjobs | where distance/time > 100") "distance/time > 100" is clearly Boolean. Something is seriously wrong (or confusing) about that expression characteristics statement.
DUThibault
Thank you so much for pointing this out! Indeed the eval-expression must be Boolean. I have updated the description and removed the section in the table that was incorrect.