This page explains how to use the where operator in APL.
where
operator in APL is used to filter rows based on specified conditions. You can use the where
operator to return only the records that meet the criteria you define. It’s a foundational operator in querying datasets, helping you focus on specific data by applying conditions to filter out unwanted rows. This is useful when working with large datasets, logs, traces, or security events, allowing you to extract meaningful information quickly.
Splunk SPL users
where
operator filters events based on boolean expressions. APL’s where
operator functions similarly, allowing you to filter rows that satisfy a condition.ANSI SQL users
WHERE
clause filters rows in a SELECT
query based on a condition. APL’s where
operator behaves similarly, but the syntax reflects APL’s specific dataset structures.condition
: A Boolean expression that specifies the filtering condition. The where
operator returns only the rows that satisfy this condition.where
operator returns a filtered dataset containing only the rows where the condition evaluates to true.
_time | id | status | method | uri | req_duration_ms | geo.city | geo.country |
---|---|---|---|---|---|---|---|
2024-10-17 10:20:00 | 12345 | 404 | GET | /notfound.html | 120 | Seattle | US |
* has
pattern in APL is a dynamic and powerful tool within the where
operator. It offers you the flexibility to search for specific substrings across all fields in a dataset without the need to specify each field name individually. This becomes especially advantageous when dealing with datasets that have numerous or dynamically named fields.
where * has
is an expensive operation because it searches all fields. For a more efficient query, explicitly list the fields in which you want to search. For example: where firstName has "miguel" or lastName has "miguel"
.
has
operator is case insensitive. Use has
if you’re unsure about the case of the substring in the dataset. For the case-sensitive operator, use has_cs
.