![]() ![]() This will only return items that are in the exact form of “Purchase ” Splunk Where Command Use Cases Use case: greater than / lesser than Sourcetype=access_combined | where action= “Purchase ” This will return all variations of purchase: Purchase, PURCHASE, pUrChAsEĬonversely, “where” performs a case-sensitive search – note the use of the “pipe” ( | ) symbol before the where command: Sourcetype=access_combined action= “Purchase” The where command uses the same expressions as “eval” to evaluate field valuesįor example: the following is NOT a case-sensitive search:.The where command supports functions such as isnotnull().You can do a wildcard search on multiple characters (%) or just one character(_) using the “like” operator with wildcards. ![]() When using the where command, there are several notes to keep in mind: See the difference? However, the where command will return results like the search command if you put quotes around the value to match: … | where foo=”bar” How to Use the Splunk Where Command In comparison: search foo=bar return events where the field foo contains the string ‘bar’. Increase efficiency of dashboards via extensions of base searchesĪn advantage of using the where command is that it will compare two different fields, which you cannot do with the search command.įor example: … | where foo=bar returns events where the contents of the field ‘foo’ is equal to the contents of the field ‘bar’.It uses eval-expressions that return a Boolean result (true or false), and only returns results for which the eval expression is true. ![]() Splunk SPL for SQL users to see how to use your SQL knowledge to learn SPL.īefore you continue, see Understanding SPL syntax for the conventions and rules used in this manual.The Splunk where command is one of several options used to filter search results. This topic contains a brief description of what the command does and a link to the specific documentation for the command. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |