Solved: How do I remove a particular row from my stats com...

avisriv · ‎10-01-2018

source="something_source" topic="something_topic1" OR topic="something_topic2" earliest = "-1d" client="cpu1305" | stats latest(msg) as Valuess by topic

Now, this search returns suppose like below:

**topic**                                                              **Valuess**
something_topic1                                                        3
something_topic2                                                        7

Here, if the value of something_topic1 is say 3, then i only want to display the row 'something_topic2', else I want to simply remove this row( 'something_topic2') from my stats result

harishalipaka · ‎10-02-2018

@avisri

Try below

| makeresults | eval topic="topic1",values=3 | append[| makeresults |eval topic="topic2",values=7 ] |eval topicx=if(topic="topic1" and values=3 ,"%","topic1") | eventstats first(topicx) as topicx |where topic like(topicx) |table topic values

Thanks
Harish

View solution in original post

harishalipaka · ‎10-02-2018

@avisri

Try below

| makeresults | eval topic="topic1",values=3 | append[| makeresults |eval topic="topic2",values=7 ] |eval topicx=if(topic="topic1" and values=3 ,"%","topic1") | eventstats first(topicx) as topicx |where topic like(topicx) |table topic values

Thanks
Harish

harishalipaka · ‎10-02-2018

Hi @avisri

Sorry, your accepted answer not reflected to my karma points. Can you please do it again

Thanks
Harish

How do I remove a particular row from my stats command based on the value of another row?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!