Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to delete rows in a table based on a field value?

leandrot
Explorer
‎04-05-2018 11:53 AM

Hi all,

I have a table which displays data from a query, what I want to achieve is to delete entire rows if the value of a particular field is zero

Thanks in advance

Best regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎04-05-2018 12:30 PM

I think it might have to do with your field name. I used a query of mine and when I renamed the field to a field name that required quotes the Where clause no longer worked.

Can you try changing your query to this:

index=a source=ab sourcetype=qm DESK=$desk_token$ 
|stats sum(PNR_COUNT) as TotalTicketsonQueue sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER 
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)" 
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number" 
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT TotalTicketsonQueue == "0"
| rename TotalTicketsonQueue as "Total Tickets on Queue"

View solution in original post

Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎04-05-2018 12:30 PM

I think it might have to do with your field name. I used a query of mine and when I renamed the field to a field name that required quotes the Where clause no longer worked.

Can you try changing your query to this:

index=a source=ab sourcetype=qm DESK=$desk_token$ 
|stats sum(PNR_COUNT) as TotalTicketsonQueue sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER 
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)" 
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number" 
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT TotalTicketsonQueue == "0"
| rename TotalTicketsonQueue as "Total Tickets on Queue"
Reply
Solved! Jump to solution

leandrot
Explorer
‎04-05-2018 12:45 PM

Many thanks!!! It worked!!

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎04-05-2018 12:47 PM

Glad to hear it!!

0 Karma
Reply
Solved! Jump to solution

shivamgoyal23
New Member
‎04-05-2018 12:04 PM

I think this will be helpful:

https://answers.splunk.com/answers/498923/if-an-entry-exists-in-stats-remove-the-entire-line.html

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎04-05-2018 12:04 PM

You just need to add a where clause.

| where NOT field==0
Reply
Solved! Jump to solution

leandrot
Explorer
‎04-05-2018 12:12 PM

Here is the query:

index=a source=ab sourcetype=qm DESK=$desk_token$
|stats sum(PNR_COUNT) as "Total Tickets on Queue" sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)"
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number"
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT "Total Tickets on Queue"=="0"

I already tried that but was not working

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...