Splunk Search

Display values of all fields in a row if one field value is greater than 100

karthikganduri
Engager

Hi All,

I am displaying the names based on dates and used where condition to display only values that are greater than 100 (where runs  > 100 ).  Below is how the table shows , but I want to display the other values in the row with actual value instead of showing it as empty. 

| where runs > 100 | xyseries Name dayOfDate runs

NameDate1 Date2Date3Date4Date5
Sachi101    
Kohli  108  
ABD 104 105 

 

 

Labels (1)
0 Karma
1 Solution

johnhuang
Motivator

I think this is what you're asking for:

| eventstats MAX(runs) AS max_run BY Name
| where max_run > 100
| chart limit=20 MAX(runs) AS runs BY Name dayOfDate

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Once the where command discards results, there's no getting them back.  The query has to be written to exclude results where all runs values are <=100.  Please share the full query and we can help you do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

johnhuang
Motivator

I think this is what you're asking for:

| eventstats MAX(runs) AS max_run BY Name
| where max_run > 100
| chart limit=20 MAX(runs) AS runs BY Name dayOfDate

karthikganduri
Engager

Thanks ..It worked 🙂

Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...