Where command splunk

Where command splunk DEFAULT

Command quick reference

Command Description Related commands Produces a summary of each search result. Keeps a running total of the specified numeric field. Computes an event that contains sum of all numeric fields for previous events. Add fields that contain common information about the current search. Computes the sum of all numeric fields for each result. , Analyze numerical fields for their ability to predict another discrete field. Computes an "unexpectedness" score for an event. , , , Finds and summarizes irregular, or uncommon, search results. , , , , Identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. , , , , , Appends subsearch results to current results. , , , , Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. , , , Appends the result of the subpipeline applied to the current result set to results. , , , Finds association rules between field values. , Identifies correlations between fields. , Returns audit trail information that is stored in the local audit index. Sets up data for calculating the moving average. , , , , (bucket) Puts continuous numerical values into discrete sets. , Replaces a field value with higher-level grouping, such as replacing filenames with directories. , Returns results in a tabular output for charting. See also, Statistical and charting functions. ,, Clusters similar events together. , , , , Finds how many times field1 and field2 values occurred together. , Puts search results into a summary index. Uses a duration field to find the number of "concurrent" events for each event. Builds a contingency table for two fields. , Converts field values into numerical values. Calculates the correlation between different fields. , Examine data model or data model dataset and search a data model dataset. Returns information about the specified index. Removes subsequent results that match a specified criteria. Delete specific events or search results. Computes the difference in field value between nearby results. , , , Returns the difference between two search results. Allows you to specify example or counter example values to automatically extract fields that have similar values. , , , , , Calculates an expression and puts the value into a field. See also, Evaluation functions. Returns the number of events in an index. Adds summary statistics to all search results. (kv) Extracts field-value pairs from search results. , , , Expresses how to render a field at output time without changing the underlying value. , Removes fields from search results. Generates summary information for all or a subset of the fields. , , , Replaces NULL values with the last non-NULL value. Replaces null values with a specified value. Generates a list of suggested event types. Creates a higher-level grouping, such as replacing filenames with directories. Run a templatized streaming subsearch for each field in a wildcarded field list. Takes the results of a subsearch and formats them into a single result. Retrieves data from a dataset, such as a data model dataset, a CSV lookup, a KV Store lookup, a saved search, or a table dataset. Transforms results into a format suitable for display by the Gauge chart types. Generates time-range results. Adds a field, named , to each event. This field contains geographic data structures for polygon geometry in JSON and is used for the choropleth map visualization. Accepts two points that specify a bounding box for clipping a choropleth map. Points that fall outside of the bounding box are filtered out. Generate statistics which are clustered into geographical bins to be rendered on a world map. Returns the first number of specified results. Highlights the specified terms. Returns a history of searches formatted as an events list or as a table. Displays a unique icon for each different value in the list of fields that you specify. Loads search results from the specified CSV file. Loads search results from a specified static lookup table. , , , Extracts location information from IP addresses. Combine the results of a subsearch with the results of a main search. Performs k-means clustering on selected fields. Extracts values from search results, using a form template. Loads events or results of a previously completed search job. Returns a list of the time ranges in which the search results were found. Run subsequent commands, that is all commands following this, locally and not on remote peers. Explicitly invokes field value lookups. Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) Change a specified field into a multivalued field during a search. Creates a specified number of empty search results. A looping operator, performs a search over each search result. Converts search results into metric data and inserts the data into a metric index on the search head. , Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. Retrieves event metadata from indexes based on terms in the logical expression. , Converts search results into metric data and inserts the data into a metric index on the indexers. , Returns a preview of the raw metric data points in a specified metric index that match a provided filter. , , Alias for the command. , , Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. , Extracts field-values from table-formatted events. Run multiple streaming searches at the same time. Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. Expands the values of a multivalue field into separate events for each value of the multivalue field. Changes a specified multivalued field into a single-value field at search time. Removes outlying numerical values. , , , Outputs search results to a specified CSV file. , Writes search results to the specified static lookup table. , , Outputs the raw text field () of results into the field. Finds events in a summary index that overlap in time or have missed events. Run pivot searches against a particular data model dataset. Enables you to use time series algorithms to predict future values of fields. Sets RANGE field to the name of the ranges that match. Displays the least common values of a field. Implements parallel reduce search processing to shorten the search runtime of high-cardinality dataset searches. Removes results that do not match the specified regular expression. , Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. Renames a specified field; wildcards can be used to specify multiple fields. Replaces values of specified fields with a specified new value. Causes a search to fail if the queries and commands that precede it in the search string return zero events or results. Access a REST endpoint and display the returned entities as search results. Specify the values to return from a subsearch. Reverses the order of the results. Specify a Perl regular expression named groups to extract fields while you search. Buffers events from real-time search to emit them in ascending time order when possible. Returns the search results of a saved search. (run) Runs an external Perl or Python script as part of your search. Anonymizes the search results. Searches indexes for matching events. Finds transaction events within specified search constraints. Joins results with itself. Emails search results to a specified email address. Performs set operations (union, diff, intersect) on subsearches. Sets the field values for all results to a common value. , , Summary indexing version of the chart command. Summary indexing version of the rare command. Summary indexing version of the stats command. Summary indexing version of the timechart command. Summary indexing version of the top command. Sorts search results by the specified fields. Provides a straightforward means for extracting fields from structured data formats, XML and JSON. Provides statistics, grouped optionally by fields. See also, Statistical and charting functions. Concatenates string values. Adds summary statistics to all search results in a streaming manner. Creates a table using the specified fields. Annotates specified fields in your search results with tags. Returns the last number n of specified results. Create a time series chart and corresponding table of statistics. See also, Statistical and charting functions. Displays, or wraps, the output of the timechart command so that every range of time is a different series. Displays the most common values of a field. Groups search results into transactions. Reformats rows of search results as columns. Computes moving averages of fields. Writes results into tsidx file(s) for later use by the tstats command. Calculates statistics over tsidx files created with the tscollect command. Returns typeahead information on a specified prefix. Deprecated. Use instead. Generates suggested eventtypes. Calculates the eventtypes for the search results. Merges the results from two or more datasets into one dataset. Removes any search that is an exact duplicate with a previous result. Converts results from a tabular format to a format similar to output. Inverse of and . Generates a list of terms or indexed fields from each bucket of event indexes. , Performs arbitrary filtering on your data. See also, Evaluations functions. Enables you to determine the trend in your data by removing the seasonal pattern. Extracts XML key-value pairs. Unescapes XML. Redefines the XML path. Converts results into a format suitable for graphing.
Sours: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/ListOfSearchCommands

where command overview

The command uses <predicate-expressions> to filter search results. A predicate expression, when evaluated, returns either TRUE or FALSE. The command only returns the results that evaluate to TRUE.

The command is identical to the clause in the from command.

Syntax

The required syntax is in bold.

where <predicate-expression>

How the where command works

The command acts as a filter on your search results. The command takes the results from your search and removes all of the results that do not match the <predicate-expression> that you specify.

With the command, you must specify a <predicate-expression> that evaluates to TRUE. This can include an expression such as . The following table shows a few examples:

Example Description
In this example, is a string literal. All strings must be enclosed in double quotation marks.
The IP address is a string value. All strings must be enclosed in double quotation marks.
If the expression references a field name that contains characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character, the field name must be surrounded by single quotation marks.
The expression can include a function. This example returns if one of the values in the field matches one of the values in the list.

In addition to expressions, you can specify a mathematical expression, concatenation expression, comparison expression, as long as the expression evaluates to TRUE.

For more information about expressions, see Expressions and Predicate expressions in the SPL2 Search Manual.

See also

where command
where command syntax details
where command usage
where command examples
Other commands
from command overview
Functions
Overview of SPL2 eval functions
Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandOverview
  1. Stockton peterbilt
  2. Shortline bus schedule
  3. Fastenal near me

where command syntax details

Acrobat logo Download topic as PDF

The required syntax is in bold.

where <predicate-expression>

Required arguments

predicate-expression
Syntax: <predicate-expression>
Description: An expression that, when evaluated, returns either TRUE or FALSE.
The syntax of the <predicate-expression> is checked before running the search, and an exception is returned for an invalid expression.
For more information, see Predicate expressions in the SPL2 Search Manual.

See also

where command
where command overview
where command usage
where command examples

Last modified on 12 November, 2020

This documentation applies to the following versions of Splunk® Cloud Services: current


close
We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »

Closing this box indicates that you accept our Cookie Policy.

Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.

Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandSyntaxDetails
Splunk Commands - Splunk stats - Splunk eventstats

where command examples

The command expects a predicate expression. See Predicate expressions in the SPL2 Search Manual.

In most cases you can use the WHERE clause in the command instead of using the command separately.

1. Specify wildcards

You can only specify a wildcard with the command by using the function. The percent ( % ) symbol is the wildcard you must use with the function.

In this example, the command returns search results for values in the field that start with .

The function supports several syntaxes, see Comparison and Conditional functions.

2. Match IP addresses or a subnet using the where command

Return events that match the IP or is in the specified subnet. This example uses both the function and the function.

3. Specify a calculation in the where command expression

Return events with a speed is greater than 100.

See also

where command
where command overview
where command syntax details
where command usage
Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandExamples

Command splunk where

@nielsfranken1989, seems like you are looking for eval function, which allows you to evaluate multiple conditions and set the values according to the same. While you have used command the same can be used as evaluation function as well. Refer to the documentation:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#case.28X.2C....
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#replace.28X.2CY.2CZ...

Following is a run anywhere search with some mock values. Commands till just generate mock data. You would need to place your own base search to get dest field.

PS:
As you would notice, I have performed command before . Transforming command should always be placed before streaming command if possible. In simple words, lets say you have 100 events and the top command reduces the same to 10 unique destinations (dest), then eval will be performed only on 10 rows instead of 100. So you can image how much performance improvement will be there if you have thousands or millions of events.

command has a parameter called which can be set to either or to hide percent column. Hence you would not need a separate pipe in the end. 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sours: https://community.splunk.com/t5/Splunk-Search/How-to-use-the-where-command/m-p/361857
Splunk Tutorial: Using Fields in Splunk Enterprise 6

where command usage

The command is identical to the clause in the from command.

Typically you use the command when you want to filter the result of an aggregation or a lookup.

Comparing two fields

One advantage of the command is that you can use it to compare two different fields. You cannot do that with the command. Here are some examples:

Command Example Description
Where This search looks for events where the field is equal to the field .
Where This search looks for events where the field is equal to the field . Because the field contains a character that is not a-z, A-Z, 0-9, or and underscore ( _ ), it must be enclosed in single quotation marks.
Search The command handles these expressions as a pair. In this example, The is interpreted as a string value.
Where This search looks for events where the field contains the string value .

Predicate expressions

The order in which predicate expressions are evaluated with the command is:

  1. Expressions within parentheses
  2. NOT clauses
  3. AND clauses
  4. OR clauses

The command evaluation order is different than the evaluation order used with the command. The command evaluates OR clauses before AND clauses.

Functions

You can use a wide range of functions with the command. See Overview of SPL2 eval functions.

See also

Where command
where command overview
where command syntax details
where command examples
Other commands
search command overview
Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandUsage

You will also be interested:

List of search commands

Command Description See also Produces a summary of each search result. Keeps a running total of the specified numeric field. Computes an event that contains sum of all numeric fields for previous events. , Add fields that contain common information about the current search. Computes the sum of all numeric fields for each result. , Analyze numerical fields for their ability to predict another discrete field. Computes an "unexpectedness" score for an event. Finds and summarizes irregular, or uncommon, search results. Appends subsearch results to current results. Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. Appends the result of the subpipeline applied to the current result set to results. , , , Finds association rules between field values. Identifies correlations between fields. Returns audit trail information that is stored in the local audit index. Sets up data for calculating the moving average. Puts continuous numerical values into discrete sets. Replaces a field value with higher-level grouping, such as replacing filenames with directories. Returns results in a tabular output for charting. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. Clusters similar events together. Uses a duration field to find the number of "concurrent" events for each event. Builds a contingency table for two fields. Converts field values into numerical values. Calculates the correlation between different fields. Returns information about the specified index. Removes subsequent results that match a specified criteria. Computes the difference in field value between nearby results. Returns the difference between two search results. Allows you to specify example or counter example values to automatically extract fields that have similar values. , , , , , Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference.Returns the number of events in an index. Adds summary statistics to all search results. Extracts field-value pairs from search results. Expresses how to render a field at output time without changing the underlying value. Removes fields from search results. Generates summary information for all or a subset of the fields. Replaces NULL values with the last non-NULL value. Replaces null values with a specified value. Generates a list of suggested event types. Run a templatized streaming subsearch for each field in a wildcarded field list. Takes the results of a subsearch and formats them into a single result. Retrieves data from a dataset, such as a data model dataset, a CSV lookup, a KV Store lookup, a saved search, or a table dataset. Transforms results into a format suitable for display by the Gauge chart types. Generates time-range results. Generate statistics which are clustered into geographical bins to be rendered on a world map. Returns the first number n of specified results. Causes Splunk Web to highlight specified terms. Returns a history of searches formatted as an events list or as a table. Adds sources to Splunk or disables sources from being processed by Splunk. Loads search results from the specified CSV file. Extracts location information from IP addresses. SQL-like joining of results from the main results pipeline with the results from the subpipeline. Performs k-means clustering on selected fields. Extracts values from search results, using a form template. Loads events or results of a previously completed search job. Returns a list of the time ranges in which the search results were found. Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) Change a specified field into a multivalued field during a search. A looping operator, performs a search over each search result. Converts search results into metric data and inserts the data into a metric index on the search head. , Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. Retrieves event metadata from indexes based on terms in the logical expression. , Converts search results into metric data and inserts the data into a metric index on the indexers. , Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. Extracts field-values from table-formatted events. Run multiple streaming searches at the same time. Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. Expands the values of a multivalue field into separate events for each value of the multivalue field. Changes a specified multivalued field into a single-value field at search time. Removes outlying numerical values. Outputs search results to a specified CSV file. Ouputs the raw text field () of results into the field. Enables you to use time series algorithms to predict future values of fields. Sets RANGE field to the name of the ranges that match. Displays the least common values of a field. Removes results that do not match the specified regular expression. , Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. Renames a specified field; wildcards can be used to specify multiple fields. Replaces values of specified fields with a specified new value. Access a REST endpoint and display the returned entities as search results. Specify the values to return from a subsearch. Reverses the order of the results. Specify a Perl regular expression named groups to extract fields while you search. Buffers events from real-time search to emit them in ascending time order when possible. Returns the search results of a saved search. Runs an external Perl or Python script as part of your search. Anonymizes the search results. Searches Splunk indexes for matching events. Finds transaction events within specified search constraints. Joins results with itself. Emails search results to a specified email address. Performs set operations (union, diff, intersect) on subsearches. Sets the field values for all results to a common value. , , Sorts search results by the specified fields. Provides a straightforward means for extracting fields from structured data formats, XML and JSON. Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. Concatenates string values. Adds summary statistics to all search results in a streaming manner. Creates a table using the specified fields. Annotates specified fields in your search results with tags. Returns the last number n of specified results. Create a time series chart and corresponding table of statistics. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. Displays the most common values of a field. Groups search results into transactions. Reformats rows of search results as columns. Computes moving averages of fields. Returns typeahead information on a specified prefix. Calculates the eventtypes for the search results. Removes any search that is an exact duplicate with a previous result. Converts results from a tabular format to a format similar to output. Inverse of and . Performs arbitrary filtering on your data. See Functions for eval and where in the Splunk Enterprise Search Reference. Enables you to determine the trend in your data by removing the seasonal pattern. Extracts XML key-value pairs. Unescapes XML. Redefines the XML path. Converts results into a format suitable for graphing.
Sours: https://docs.splunk.com/Documentation/SplunkLight/7.3.6/References/Listofsearchcommands


254 255 256 257 258