topic How to remove a row in a table in Splunk Search

How to remove a row in a table

kishan2356 — Tue, 12 Nov 2019 20:35:38 GMT

_time A B C D
6:05 1 1 5 8
6:10 0 3 2 2
6:15 5 0 6 2
6:20 8 9 2 7
6:25 9 2 4 5
6:30 6 7 2 8

Hi, I have a table in a dashboard where time is broken up into 5 min bins.
What I’m trying to do is eliminate all rows based on the value of a cell in a column.
In my case, if any value in column A (above table) equals 0 I want the whole row to not be displayed.
In the table above the row of 6:10 would be removed, and the table should be as follows:

_time A B C D
6:05 1 1 5 8
6:15 5 0 6 2
6:20 8 9 2 7
6:25 9 2 4 5
6:30 6 7 2 8

I’ve tried using | where clause but it did not work.
Is there a way to accomplish this?

Re: How to remove a row in a table

wmyersas — Tue, 12 Nov 2019 21:13:01 GMT

Presuming you have some search that generates your table ... try this:

index=ndx sourcetype=srctp A=* B=* C=* D=*
| bin _time span=5m
| stats sum(A) as A sum(B) as B sum(C) as C sum(D) as D by somefield
| search A>0

The | search A>0 will throw-out any events from the stats results that have a 0 (or less than 0) in the A column

Re: How to remove a row in a table

mayurr98 — Tue, 12 Nov 2019 21:29:19 GMT

whats your search query?

Re: How to remove a row in a table

kishan2356 — Wed, 30 Sep 2020 02:57:02 GMT

Below is the source code

<input type="time" token="time_finder" searchWhenChanged="true">
  <label>Time Picker</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest),"-0d")</eval>
    <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), "-0d")</eval>
    <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
    <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
    <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
    <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
    <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
    <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
    <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
    <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
  </change>
</input>


<panel>
  <title>XX</title>
  <table>
    <title></title>
    <search>
      <query>| multisearch 
[ search index=XX sourcetype=XX earliest=$earliestTime$ latest=$latestTime$ 
| eval label="XX"  
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
| eval _time=_time+60*60*24*7 
| eval label="XX" 
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
| eval _time=_time+60*60*24*14 
| eval label="XX" 
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime3$ latest=$latestTime3$ 
| eval _time=_time+60*60*24*21 
| eval label="XX" 
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
| eval _time=_time+60*60*24*28 
| eval label="XX" 
| fields -_raw _time ecn label]

Re: How to remove a row in a table

to4kawa — Mon, 02 Dec 2019 12:24:55 GMT

index=XX sourcetype=XX  (earliest=$earliestTime$ latest=$latestTime$) OR (earliest=$earliestTime1$ latest=$latestTime1$) OR (earliest=$earliestTime2$ latest=$latestTime2$) OR (earliest=$earliestTime3$ latest=$latestTime3$) OR (earliest=$earliestTime4$ latest=$latestTime4$)
| streamstats values(eval(strftime(_time,"%m%d"))) as label
| bin span=5m _time
| streamstats values(eval(strftime(_time,"%H:%M:%S"))) as time
| chart dc(ecn) over time by label
| where time!=$click.value$

What about this query?

You have to put "nothing" in $click.value$ in <init>