https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681744#M232965 <P>I do not believe that <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mstats#Comparison_expression_options" target="_blank" rel="noopener">mstats</A>&nbsp;supports filtering by metric value. &nbsp;But the question is also too vague. &nbsp;Maybe you can explain your use case? &nbsp;What does "remove values with '0'" mean? &nbsp;From what calculation? &nbsp;Given the three sample values you illustrated for metric <U>calc:service.thaa_stress_requests_lr_tags</U>, what is desired result from avg(calc:service.thaa_stress_requests_lr_tags)? &nbsp;If your search period contains these three values, is the actual result&nbsp;<SPAN>2602841.3333333335, i.e., (4115725 + 0 +&nbsp;3692799) / 3? &nbsp;Why do you want it to be different from the definition?</SPAN></P><P><SPAN>Further more, what method do you use to reveal those three values? &nbsp;Metrics index cannot be searched as index search. &nbsp;mstats can only give you aggregations. &nbsp;Even if you group by _timeseries, you still only get aggregations. &nbsp;This returns to the fundamental question: What is the point of "removing values with '0'"?</SPAN></P> Sat, 23 Mar 2024 07:51:47 GMT yuanliu 2024-03-23T07:51:47Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681672#M232941 <P>I have below query to calculate average response times. For some reason some times the value is coming as '0'. i wanted to remove those values from my calculation.&nbsp;</P> <LI-CODE lang="markup">| mstats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" ,avg(calc:service.thaa_stress_requests_lr_tags) As "Response" where index=itsi_im_metrics by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0) | search Dimension.id IN ("*Process.aspx")</LI-CODE> <P>-- Sample Values&nbsp;</P> <P>metric_name:calc:service.thaa_stress_requests_lr_tags:&nbsp;4115725</P> <P>metric_name:calc:service.thaa_stress_requests_lr_tags: 0</P> <P>metric_name:calc:service.thaa_stress_requests_lr_tags:&nbsp;3692799</P> Fri, 22 Mar 2024 14:06:53 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681672#M232941 sabari80 2024-03-22T14:06:53Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681673#M232942 <P>Try something like this</P><LI-CODE lang="markup">| mstats sum(eval(if('calc:service.thaa_stress_requests_count_lr_tags'&gt;0, 'calc:service.thaa_stress_requests_count_lr_tags', null()))) As "Count", avg(eval(if('calc:service.thaa_stress_requests_lr_tags'&gt;0, 'calc:service.thaa_stress_requests_lr_tags', null()))) As "Response" where index=itsi_im_metrics by Dimension.id</LI-CODE> Fri, 22 Mar 2024 13:58:46 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681673#M232942 ITWhisperer 2024-03-22T13:58:46Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681675#M232944 <P>getting error -&nbsp;</P> <P><SPAN>Error in 'mstats' command: Invalid token:&nbsp;</SPAN></P> <LI-CODE lang="markup">sum(eval(if('calc:service.thaa_stress_requests_count_lr_tags'&gt;0</LI-CODE> Fri, 22 Mar 2024 14:06:28 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681675#M232944 sabari80 2024-03-22T14:06:28Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681701#M232947 <P>Try without quotes around the field names (perhaps there is something significant about the colon?</P><LI-CODE lang="markup">| mstats sum(eval(if(calc:service.thaa_stress_requests_count_lr_tags&gt;0, calc:service.thaa_stress_requests_count_lr_tags, null()))) As "Count", avg(eval(if(calc:service.thaa_stress_requests_lr_tags&gt;0, calc:service.thaa_stress_requests_lr_tags, null()))) As "Response" where index=itsi_im_metrics by Dimension.id</LI-CODE> Fri, 22 Mar 2024 16:23:21 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681701#M232947 ITWhisperer 2024-03-22T16:23:21Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681702#M232948 <P>yes tried it out with all options already, with quote, without quote &amp; double quotes. All are giving the same error.</P> <P><SPAN>Error in 'mstats' command: <BR /></SPAN></P> <LI-CODE lang="markup">Invalid token: sum(eval(if(calc:service.thaa_stress_requests_count_lr_tags&gt;0</LI-CODE> <P><SPAN>&nbsp;</SPAN></P> Fri, 22 Mar 2024 18:40:22 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681702#M232948 sabari80 2024-03-22T18:40:22Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681744#M232965 <P>I do not believe that <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mstats#Comparison_expression_options" target="_blank" rel="noopener">mstats</A>&nbsp;supports filtering by metric value. &nbsp;But the question is also too vague. &nbsp;Maybe you can explain your use case? &nbsp;What does "remove values with '0'" mean? &nbsp;From what calculation? &nbsp;Given the three sample values you illustrated for metric <U>calc:service.thaa_stress_requests_lr_tags</U>, what is desired result from avg(calc:service.thaa_stress_requests_lr_tags)? &nbsp;If your search period contains these three values, is the actual result&nbsp;<SPAN>2602841.3333333335, i.e., (4115725 + 0 +&nbsp;3692799) / 3? &nbsp;Why do you want it to be different from the definition?</SPAN></P><P><SPAN>Further more, what method do you use to reveal those three values? &nbsp;Metrics index cannot be searched as index search. &nbsp;mstats can only give you aggregations. &nbsp;Even if you group by _timeseries, you still only get aggregations. &nbsp;This returns to the fundamental question: What is the point of "removing values with '0'"?</SPAN></P> Sat, 23 Mar 2024 07:51:47 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681744#M232965 yuanliu 2024-03-23T07:51:47Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681748#M232967 <P>using mpreview command to explore the results&nbsp;</P> <LI-CODE lang="markup">| mpreview index=itsi_im_metrics | search "calc:service.thaa_stress_requests_lr_tags" "Dimension.id"="*Process.aspx"</LI-CODE> <P>Those values with '0' is not actual response, for some reason these entries are there and its affecting the overall average response. so wanted to remove those values from the calculation.&nbsp;</P> <P>&nbsp;</P> <P>instead of this --&gt;&nbsp;<SPAN>(4115725 + 0 +&nbsp;3692799) / 3, i want this --&gt;&nbsp;(4115725 + 3692799) / 2</SPAN></P> Sat, 23 Mar 2024 15:51:36 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681748#M232967 sabari80 2024-03-23T15:51:36Z https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681761#M232974 <P>Thank you for introducing msearch aka mpreview. &nbsp;As I mentioned before, mstats doesn't allow filtering by value. &nbsp;So, you need to take care of stats after mpreview. &nbsp;Something like</P><LI-CODE lang="markup">| mpreview index=itsi_im_metrics | search Dimension.id IN ("*Process.aspx") calc:service.thaa_stress_requests_count_lr_tags&gt;0 calc:service.thaa_stress_requests_lr_tags &gt; 0 | stats sum(calc:service.thaa_stress_requests_count_lr_tags) As "Count" , avg(calc:service.thaa_stress_requests_lr_tags) As "Response" by Dimension.id | eval Response=round((Response/1000000),2), Count=round(Count,0)</LI-CODE> Sun, 24 Mar 2024 05:48:29 GMT https://community.splunk.com/t5/Splunk-Search/To-Remove-values-with-0-from-the-calculation/m-p/681761#M232974 yuanliu 2024-03-24T05:48:29Z