https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429007#M122702 <P>Is this now solved, based on your other comment, or are you still running into some issue?</P> Tue, 05 Jun 2018 09:41:52 GMT FrankVl 2018-06-05T09:41:52Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429000#M122695 <PRE><CODE>sourcetype="rocket:access" (host="rocket0.painpoint.com" OR host="rocket5.painpoint.com") date_wday!=saturday AND date_wday!=sunday | eval headers=split(_raw,"|") | eval request_id=mvindex(headers,2) | eval rtim=mvindex(headers,11) | table request_id,rtim request_id contains fields such as, o*1N0FIQQx292x15786665x0, i*1N0FIQQx292x15786665x0 o*1N0FIQQx292x15786664x0 i*1N0FIQQx292x15786664x0 </CODE></PRE> <P>I want to exclude the field values that starts with <STRONG>i</STRONG> and their corresponding <STRONG>rtim</STRONG> value as well.</P> Tue, 05 Jun 2018 08:59:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429000#M122695 zacksoft 2018-06-05T08:59:21Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429001#M122696 <P>Wouldn't a simple <CODE>| where request_id != "i*"</CODE> suffice? Or if, the request_id values that you want to keep always start with <CODE>o*</CODE>, make it a positive filter <CODE>| where request_id = "o*"</CODE>.</P> <P>Edit: as mentioned in comments below, where command does not support wildcards like that. Should use <CODE>| search request_id!="i*"</CODE>.</P> Tue, 29 Sep 2020 19:46:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429001#M122696 FrankVl 2020-09-29T19:46:13Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429002#M122697 <P>I tried adding that | where condition at the end , But after adding the search won't give me any output.</P> Tue, 05 Jun 2018 09:18:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429002#M122697 zacksoft 2018-06-05T09:18:26Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429003#M122698 <P>Can you then please share a screenshot of what the output looks like after running the search you mention in your question?</P> <P>Edit: Oh and I see I made a typo in my suggestion (fixed that now), misspelled the request_id field name. If you copy pasted that, maybe that was the simple reason you didn't get results.</P> Tue, 05 Jun 2018 09:21:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429003#M122698 FrankVl 2018-06-05T09:21:50Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429004#M122699 <P>I just added | search request_id!="i*"<BR /> It solved my problem.</P> Tue, 05 Jun 2018 09:25:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429004#M122699 zacksoft 2018-06-05T09:25:12Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429005#M122700 <P>o*1N0FIQQx329x15798006x3 <STRONG>37</STRONG><BR /> i*1N0FIQQx329x15798006x3 <STRONG>-</STRONG><BR /> o*1N0FIQQx329x15798005x3 <STRONG>5</STRONG><BR /> i*1N0FIQQx329x15798005x3 <STRONG>-</STRONG><BR /> o*1N0FIQQx329x15798004x3 <STRONG>58</STRONG><BR /> i*1N0FIQQx329x15798004x3 <STRONG>-</STRONG><BR /> o*1N0FIQQx329x15798002x5 <STRONG>281</STRONG><BR /> o*1N0FIQQx329x15798003x4 <STRONG>8</STRONG></P> <P>Above is how the output looks like.<BR /> the first column is 'request_id' and second one(mentioned in bold) is 'rtim'.<BR /> I want to remove the request_id starting with i* , because the corresponding rtim value is ' -' if reqeust_id is i*<BR /> After removing rtim with value '-' I want to be able to find the average of the column.<BR /> something like this</P> <P>sourcetype="rocket:access" (host="rocket0.painpoint.com" OR host="rocket5.painpoint.com") date_wday!=saturday AND date_wday!=sunday<BR /> | eval headers=split(_raw,"|")<BR /> | eval request_id=mvindex(headers,2)<BR /> | eval rtim=mvindex(headers,11)<BR /> | eval req_time_seconds=rtim*0.001 <BR /> | timechart span=1d eval(round(avg(req_time_seconds),2)) as Average_Response_Time</P> <P>Could you help here ?<BR /> Because of the presence of '-' in the rtim , the timechart command won't give any result.</P> Tue, 29 Sep 2020 19:50:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429005#M122700 zacksoft 2020-09-29T19:50:14Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429006#M122701 <P>My bad, where doesn't accept wildcard strings. The search command is indeed the way to go.</P> Tue, 05 Jun 2018 09:40:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429006#M122701 FrankVl 2018-06-05T09:40:15Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429007#M122702 <P>Is this now solved, based on your other comment, or are you still running into some issue?</P> Tue, 05 Jun 2018 09:41:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429007#M122702 FrankVl 2018-06-05T09:41:52Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429008#M122703 <P>Yes, I am. <BR /> The 'rtim' field contains "-" if reqeust_id starts with i*<BR /> I want to calculate average (i.e. | timechart span=1d eval(round(avg(rtim),2)) as Average_Response_Time) of rtim, But I am not able to do it as some of its values contain '-'.<BR /> That's why it is imperative to remove the events with request_id value with i*.</P> Tue, 29 Sep 2020 19:50:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429008#M122703 zacksoft 2020-09-29T19:50:17Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429009#M122704 <P>But you succeeded at filtering those out using <CODE>| search request_id!="i*"</CODE> right?</P> Tue, 05 Jun 2018 10:23:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429009#M122704 FrankVl 2018-06-05T10:23:03Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429010#M122705 <P>yes, |search request_id!="i*" works when I present the output with a table command.<BR /> But I intend to present the output in a timechart average format like below. And I am not sure where to apply the search fitering in that scenario</P> <P>host=A OR B or C<BR /> | eval headers=split(_raw,"|")<BR /> | eval request_id=mvindex(headers,2)<BR /> | eval rtim=mvindex(headers,11)<BR /> | eval req_time_seconds=rtim*0.001 <BR /> | timechart span=1d eval(round(avg(req_time_seconds),2)) as Average_Response_Time</P> Tue, 29 Sep 2020 19:50:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429010#M122705 zacksoft 2020-09-29T19:50:19Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429011#M122706 <P>Before the timechart command. Basically you can insert that piece as soon as that request_id field is set, so, this should work:</P> <PRE><CODE>host=A OR B or C | eval headers=split(_raw,"|") | eval request_id=mvindex(headers,2) | search request_id!="i*" | eval rtim=mvindex(headers,11) | eval req_time_seconds=rtim*0.001 | timechart span=1d eval(round(avg(req_time_seconds),2)) as Average_Response_Time </CODE></PRE> Tue, 05 Jun 2018 10:37:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-field-values-from-a-column/m-p/429011#M122706 FrankVl 2018-06-05T10:37:35Z