https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344160#M101953 <P>Hi sh254087,<BR /> If you use the command <CODE>| fields - field2</CODE>, this field isn't more available for searches, so the following <CODE>where</CODE> command is always wrong!<BR /> you have to insert the search condition before the <CODE>| fields - field2</CODE> command.</P> <P>Anyway it's a best practice to put all the conditions as left as you can and not after table command.<BR /> So try something like this:</P> <PRE><CODE>index=your_index field2 != "testvaluexyz" | table field1 field2 field3 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 20 Apr 2018 13:57:16 GMT gcusello 2018-04-20T13:57:16Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344157#M101950 <P>I am applying few conditions and logic to come up with values for different fields. I'm then displaying them using teh table command, like - <BR /> | table field1 field2 field3 etc</P> <P>I now want to display this table with a condition like the table should display only those rows where a field has a particular value. Ex - Display only those rows where field2="testvaluexyz". something like - SELECT FIELD1, FIELD2, FIELD3 FROM TABLE1 WHERE FIELD2="testvaluexyz" </P> <P>I'm trying with the below command after table command and getting any result.<BR /> |fields - field2| where field2 != "testvaluexyz"</P> <P>I can guess this may not be the right way. Can someone please help achieve this?</P> Fri, 20 Apr 2018 13:47:06 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344157#M101950 sh254087 2018-04-20T13:47:06Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344158#M101951 <P>the fields command will remove field2 so your where clause has nothing to compare so just flip the order</P> <PRE><CODE>| table field1 field2 field3 etc | where field2 != "testvaluexyz" | fields - field2 </CODE></PRE> Fri, 20 Apr 2018 13:52:55 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344158#M101951 kmaron 2018-04-20T13:52:55Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344159#M101952 <P>In your example you are removing field2 before using the filter</P> <P>Have you tried out:</P> <P><EM>yourbase search</EM> <BR /> | search field2="testvaluexyz"<BR /> | table field1 field2 field3</P> <P>In general you should filter as soon as possible. So if possible, filter it directly in the base search.</P> Fri, 20 Apr 2018 13:56:48 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344159#M101952 HeinzWaescher 2018-04-20T13:56:48Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344160#M101953 <P>Hi sh254087,<BR /> If you use the command <CODE>| fields - field2</CODE>, this field isn't more available for searches, so the following <CODE>where</CODE> command is always wrong!<BR /> you have to insert the search condition before the <CODE>| fields - field2</CODE> command.</P> <P>Anyway it's a best practice to put all the conditions as left as you can and not after table command.<BR /> So try something like this:</P> <PRE><CODE>index=your_index field2 != "testvaluexyz" | table field1 field2 field3 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 20 Apr 2018 13:57:16 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344160#M101953 gcusello 2018-04-20T13:57:16Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344161#M101954 <P>Just after posting this I got this resolved. Just came across an other question on the forum where someone had made a comparison(not similar to my problem but it helped) using ==, the opposite of how I was trying. Instead of removing fields which is having values not matching with my value, this would display only those rows with the values which would match my value. Somehow I did not think this way. </P> <P>So the solution is (as simple as)-<BR /> | table field1 field2 field3<BR /> | where field2 == "testvaluexyz" </P> <P>I probably did not know how all I could use the where condition! Lesson learned. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Fri, 20 Apr 2018 14:00:19 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344161#M101954 sh254087 2018-04-20T14:00:19Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344162#M101955 <P>Tried this. This is removing the field2 completely. </P> Fri, 20 Apr 2018 14:05:58 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344162#M101955 sh254087 2018-04-20T14:05:58Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344163#M101956 <P>That's what the <CODE>fields - field2</CODE> command does. I assumed you wanted to remove it </P> Fri, 20 Apr 2018 14:08:00 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344163#M101956 kmaron 2018-04-20T14:08:00Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344164#M101957 <P>@kmaron Thank you for the response. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 20 Apr 2018 14:08:36 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344164#M101957 sh254087 2018-04-20T14:08:36Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344165#M101958 <P>@cusello this would display the field with the non-matching values. the other way of what I needed. Just checked this as well with a small change - </P> <P>|where field2 == "testvaluexyz"<BR /> |table field1 field2 field3</P> <P>This worked fine, just the way it did when I tried | where after | table command. </P> <P>Thank you too. Cheers. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 20 Apr 2018 14:14:52 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344165#M101958 sh254087 2018-04-20T14:14:52Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344166#M101959 <P>@HeinzWaescher This as well worked fine. Thank you. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 20 Apr 2018 14:23:43 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344166#M101959 sh254087 2018-04-20T14:23:43Z https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344167#M101960 <P>I wanted to remove the non matching entries alone and not the complete field. </P> Fri, 20 Apr 2018 14:29:36 GMT https://community.splunk.com/t5/Splunk-Search/how-to-display-only-those-rows-with-a-particular-value-in-a/m-p/344167#M101960 sh254087 2018-04-20T14:29:36Z