Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to delete rows in a table based on a field val...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandrot
Explorer
04-05-2018
11:53 AM
Hi all,
I have a table which displays data from a query, what I want to achieve is to delete entire rows if the value of a particular field is zero
Thanks in advance
Best regards
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
04-05-2018
12:30 PM
I think it might have to do with your field name. I used a query of mine and when I renamed the field to a field name that required quotes the Where clause no longer worked.
Can you try changing your query to this:
index=a source=ab sourcetype=qm DESK=$desk_token$
|stats sum(PNR_COUNT) as TotalTicketsonQueue sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)"
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number"
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT TotalTicketsonQueue == "0"
| rename TotalTicketsonQueue as "Total Tickets on Queue"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
04-05-2018
12:30 PM
I think it might have to do with your field name. I used a query of mine and when I renamed the field to a field name that required quotes the Where clause no longer worked.
Can you try changing your query to this:
index=a source=ab sourcetype=qm DESK=$desk_token$
|stats sum(PNR_COUNT) as TotalTicketsonQueue sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)"
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number"
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT TotalTicketsonQueue == "0"
| rename TotalTicketsonQueue as "Total Tickets on Queue"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandrot
Explorer
04-05-2018
12:45 PM
Many thanks!!! It worked!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
04-05-2018
12:47 PM
Glad to hear it!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shivamgoyal23
New Member
04-05-2018
12:04 PM
I think this will be helpful:
https://answers.splunk.com/answers/498923/if-an-entry-exists-in-stats-remove-the-entire-line.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
04-05-2018
12:04 PM
You just need to add a where clause.
| where NOT field==0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandrot
Explorer
04-05-2018
12:12 PM
Here is the query:
index=a source=ab sourcetype=qm DESK=$desk_token$
|stats sum(PNR_COUNT) as "Total Tickets on Queue" sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)"
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number"
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT "Total Tickets on Queue"=="0"
I already tried that but was not working
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
