where command uses eval-expressions to filter search results. These eval-expressions must be Boolean expressions, where the expression returns either true or false. The
where command returns only the results for which the eval expression returns true.
- Syntax: <eval-mathematical-expression> | <eval-concatenate-expression> | <eval-comparison-expression> | <eval-boolean-expression> | <eval-function-call>
- Description: A combination of values, variables, operators, and functions that represent the value of your destination field. See Usage.
- The <eval-expression> is case-sensitive. The syntax of the eval expression is checked before running the search, and an exception is thrown for an invalid expression.
- The following table describes characteristics of eval expressions that require special handling.
Expression characteristics Description Example Field names starting with numeric characters If the expression references a field name that starts with a numeric character, the field name must be surrounded by single quotation marks.
This expression is a field name equal to a string value. Because the field starts with a numeric it must be enclosed in single quotations. Because the value is a string, it must be enclosed in double quotations.
Field names with non-alphanumeric characters If the expression references a field name that contains non-alphanumeric characters, the field name must be surrounded by single quotation marks.
This expression could be interpreted as a mathematical equation, where the dash is interpreted as a minus sign. To avoid this, you must enclose the field name
server-1in single quotation marks.
Literal strings If the expression references a literal string, the literal string must be surrounded by double quotation marks.
There are two issues with this example. First,
server-could be interpreted as a field name or as part of a mathematical equation, that uses a minus sign and a plus sign. To ensure that
server-is interpreted as a literal string, enclose the string in double quotation marks.
where command is a distributable streaming command. See Command types.
The <eval-expression> is case-sensitive.
where command uses the same expression syntax as the
eval command. Also, both commands interpret quoted strings as literals. If the string is not quoted, it is treated as a field name. Because of this, you can use the
where command to compare two different fields, which you cannot use the
search command to do.
||This search looks for events where the field |
||This search looks for events where the field |
||This search looks for events where the value in the field |
The order in which Boolean expressions are evaluated with the
where command is:
- Expressions within parentheses
- NOT clauses
- AND clauses
- OR clauses
This evaluation order is different than the order used with the
search command. The
search command evaluates OR clauses before AND clauses.
Using a wildcard with the where command
You can only specify a wildcard by using the
like function with the
where command. The percent ( % ) symbol is the wildcard that you use with the
like function. See the like() evaluation function.
You can use a wide range of evaluation functions with the
where command. For general information about using functions, see Evaluation functions.
- For a list of functions by category, see Function list by category.
- For an alphabetical list of functions, see Alphabetical list of functions.
1. Specify a wildcard with the where command
You can only specify a wildcard with the
where command by using the
like function. The percent ( % ) symbol is the wildcard you must use with the
like function. The
where command returns
like=TRUE if the
ipaddress field starts with the value
... | where like(ipaddress, "198.%")
2. Match IP addresses or a subnet using the where command
Return "CheckPoint" events that match the IP or is in the specified subnet.
host="CheckPoint" | where like(src, "10.9.165.%") OR cidrmatch("10.9.165.0/25", dst)
3. Specify a calculation in the where command expression
Return "physicsjobs" events with a speed is greater than 100.
sourcetype=physicsjobs | where distance/time > 100
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5
Feedback submitted, thanks!