Splunk commands

where

search command to compare two fields
Possibility to use functions
- isnotnull()
- isnull()
- like()
- ….

# compare two field values
index=_index
| where a > b

# search for wildcards
index=perfmon counter=* 
| where counter like “%Disk%”

... | where like(ipaddress, "198.%")

# search for string in field
... | where foo="bar"

Metadata

When you want to know the time data were writen to an Index/sourcetype you can use metadata.

# show the metadata lastTime, firstTime and recentTime for the sourcetype
| metadata type=sourcetypes index=_internal 

# format the output to human readable
| metadata type=sourcetypes index=_internal 
| rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First Event"=strftime('First Event', "%c") 
| fieldformat "Last Event"=strftime('Last Event', "%c") 
| fieldformat "Last Update"=strftime('Last Update', "%c")

Splunk Documentation

references

Splunk Search Command of the Week: Where Command
SPL2 Search Reference: where command usage
[Docs Splunk: metadata]def3

Splunk commands

where

Metadata

references

You may also enjoy

Mastering Field Extraction in Splunk: Quick Guide

Mastering the Tstats Command in Splunk

A Technical Guide to Splunk Data Models