Question 195 - SPLK-1002 discussion

A| where 10yearAnnerversary=Renewal-MonthYear. The where command is used to filter the search results based on an expression that evaluates to true or false. The where command can compare two fields, two values, or a field and a value. The where command can also use functions, operators, and wildcards to create complex expressions1. The syntax for the where command is: | where <expression> The expression can be a comparison, a calculation, a logical operation, or a combination of these. The expression must evaluate to true or false for each event. To compare two fields with the where command, you need to use the field names without any quotation marks. For example, if you want to find events where the values for the 10yearAnnerversary field match the values for the Renewal-MonthYear field, you can use the following syntax: | where 10yearAnnerversary=Renewal-MonthYear This will return only the events where the two fields have the same value. The other options are not correct because they use quotation marks around the field names, which will cause the where command to interpret them as string values instead of field names. For example, if you use: | where '10yearAnnerversary'='Renewal-MonthYear' This will return no events because there are no events where the string value '10yearAnnerversary' is equal to the string value 'Renewal-MonthYear'.