How to Modify Field to exclude field not needed?

jakeoftrades · ‎05-16-2022

Hi,

Can anyone help me how can I change the field of my query to exclude those with
PRODUCED labels

query:

index="hcg_ph_t2_bigdataservices_prod" sourcetype="be:streaming-services" earliest=-3h@h latest=@h
| search stream_type IN (Datascore_Compress, Datascore_Decompress, Eservices_Eload, Eservices_Ebills)
| eval service_details=stream_type." - ".kafka_datatype
| bucket span=90m _time
| stats sum(kafka_count) as count by _time service_details
| stats latest(count) as current_count earliest(count) as past_count by service_details

PRODUCED items which is under kafka_datatype:

I have tried to add this to my query but still does not exclude those with PRODUCED:

| sort .kafka_datatype asc
| fields - "PRODUCED"

Please help.

Thank you,
Jake

gcusello · ‎05-16-2022

Hi @jakeoftrades,

let me understand: you want to exclude results where kafka_datatype="PRODUCED", is this correct?

if this is your need, you could filter results in the main search of after the stats command, something like this:

index="hcg_ph_t2_bigdataservices_prod" sourcetype="be:streaming-services" earliest=-3h@h latest=@h stream_type IN (Datascore_Compress, Datascore_Decompress, Eservices_Eload, Eservices_Ebills) kafka_datatype!="PRODUCED"
| eval service_details=stream_type." - ".kafka_datatype
| bucket span=90m _time
| stats sum(kafka_count) as count by _time service_details
| stats latest(count) as current_count earliest(count) as past_count by service_details

in addition, you don't need to use the search command after the main search, in this way you have a slower search.

Ciao.

Giuseppe

How to Modify Field to exclude field not needed?

eval

fields

stats

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!