topic remove records from the query in Splunk Dev https://community.splunk.com/t5/Splunk-Dev/remove-records-from-the-query/m-p/686288#M11459 <P>I have written a splunk query and used streamstats command to make my output look like this:</P> <P>Query Used:</P> <P>...</P> <LI-CODE lang="markup">| streamstats current= f last(History) as Status by Ticket Id </LI-CODE> <P>| ...</P> <P>Current Output: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="24px">Ticket ID</TD> <TD width="33.333333333333336%" height="24px">Priority&nbsp; &nbsp;</TD> <TD width="33.333333333333336%" height="24px">Status</TD> </TR> <TR> <TD> <P>1234</P> <P>4321</P> <P>5678</P> </TD> <TD>P1</TD> <TD> <P>Closed</P> <P>In Progress</P> </TD> </TR> <TR> <TD width="33.333333333333336%" height="24px">8765&nbsp;</TD> <TD width="33.333333333333336%" height="24px">P2&nbsp;</TD> <TD width="33.333333333333336%" height="24px">Closed</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>However I want to remove the record 4321 and look at all the closed tickets for Priority P1 and P2, but since it is also of P1 priority the entire record is getting removed for P1 when I use this query:</P> <P>...</P> <LI-CODE lang="markup">| streamstats current= f last(History) as Status by Ticket Id | where NOT Status IN ("In Progress")</LI-CODE> <P>| ...</P> <P>Output:</P> <TABLE border="1"> <TBODY> <TR> <TD width="74.2083px">Ticket ID</TD> <TD width="74.2083px">Priority&nbsp;</TD> <TD width="74.2083px">&nbsp;Status</TD> </TR> <TR> <TD width="74.2083px">8765&nbsp;</TD> <TD width="74.2083px">P2&nbsp;</TD> <TD width="74.2083px">Closed</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>How do I only remove 4321 as it is&nbsp; "In Progress" Status. Please help.</P> <P>Expected Output:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%">Ticket ID</TD> <TD width="33.333333333333336%">Priority&nbsp;</TD> <TD width="33.333333333333336%">&nbsp;Status</TD> </TR> <TR> <TD width="33.333333333333336%">1234&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 5678</TD> <TD width="33.333333333333336%">P1&nbsp;</TD> <TD width="33.333333333333336%">Closed</TD> </TR> <TR> <TD width="33.333333333333336%">8765&nbsp;</TD> <TD width="33.333333333333336%">P2&nbsp;</TD> <TD width="33.333333333333336%">Closed</TD> </TR> </TBODY> </TABLE> Fri, 03 May 2024 12:07:29 GMT avi123 2024-05-03T12:07:29Z remove records from the query https://community.splunk.com/t5/Splunk-Dev/remove-records-from-the-query/m-p/686288#M11459 <P>I have written a splunk query and used streamstats command to make my output look like this:</P> <P>Query Used:</P> <P>...</P> <LI-CODE lang="markup">| streamstats current= f last(History) as Status by Ticket Id </LI-CODE> <P>| ...</P> <P>Current Output: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="24px">Ticket ID</TD> <TD width="33.333333333333336%" height="24px">Priority&nbsp; &nbsp;</TD> <TD width="33.333333333333336%" height="24px">Status</TD> </TR> <TR> <TD> <P>1234</P> <P>4321</P> <P>5678</P> </TD> <TD>P1</TD> <TD> <P>Closed</P> <P>In Progress</P> </TD> </TR> <TR> <TD width="33.333333333333336%" height="24px">8765&nbsp;</TD> <TD width="33.333333333333336%" height="24px">P2&nbsp;</TD> <TD width="33.333333333333336%" height="24px">Closed</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>However I want to remove the record 4321 and look at all the closed tickets for Priority P1 and P2, but since it is also of P1 priority the entire record is getting removed for P1 when I use this query:</P> <P>...</P> <LI-CODE lang="markup">| streamstats current= f last(History) as Status by Ticket Id | where NOT Status IN ("In Progress")</LI-CODE> <P>| ...</P> <P>Output:</P> <TABLE border="1"> <TBODY> <TR> <TD width="74.2083px">Ticket ID</TD> <TD width="74.2083px">Priority&nbsp;</TD> <TD width="74.2083px">&nbsp;Status</TD> </TR> <TR> <TD width="74.2083px">8765&nbsp;</TD> <TD width="74.2083px">P2&nbsp;</TD> <TD width="74.2083px">Closed</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>How do I only remove 4321 as it is&nbsp; "In Progress" Status. Please help.</P> <P>Expected Output:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%">Ticket ID</TD> <TD width="33.333333333333336%">Priority&nbsp;</TD> <TD width="33.333333333333336%">&nbsp;Status</TD> </TR> <TR> <TD width="33.333333333333336%">1234&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 5678</TD> <TD width="33.333333333333336%">P1&nbsp;</TD> <TD width="33.333333333333336%">Closed</TD> </TR> <TR> <TD width="33.333333333333336%">8765&nbsp;</TD> <TD width="33.333333333333336%">P2&nbsp;</TD> <TD width="33.333333333333336%">Closed</TD> </TR> </TBODY> </TABLE> Fri, 03 May 2024 12:07:29 GMT https://community.splunk.com/t5/Splunk-Dev/remove-records-from-the-query/m-p/686288#M11459 avi123 2024-05-03T12:07:29Z Re: remove records from the query https://community.splunk.com/t5/Splunk-Dev/remove-records-from-the-query/m-p/686289#M11460 <P>It looks like there may be something else going on in your search. Please share the full search (in a code block &lt;/&gt;). It would also be helpful (and quicker) if you could share some sample anonymised representative events.</P> Fri, 03 May 2024 09:27:17 GMT https://community.splunk.com/t5/Splunk-Dev/remove-records-from-the-query/m-p/686289#M11460 ITWhisperer 2024-05-03T09:27:17Z