Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent a search result from being displayed on a table in a dashboard panel based on its value?

joseph_trinidad
New Member
‎07-12-2015 11:22 PM

Hi Splunk Experts,

Currently I am creating a dashboard panel wherein I have to filter the results in my table based on its value.
For example, if the value reaches above 100, it should not be displayed in the table.
What happens is, once the value reaches above 100, the last value is retained.
I expect it to disappear because it does not meet the value limit.
Here is what I have done so far:

counter="*" index=* | where NOT Value > 100 | sort -_time

Thanks!

Tags (4)
0 Karma
Reply

lguinn2
Legend
‎07-13-2015 12:41 AM

[Edited based on the comment]
I may not understand your question, but here goes...

Value must be the actual name of a field - is the field named Value or counter or something else? Is there more than one field that needs to be tested?

For example, if the field is named counter:

counter="*" index=*  counter <= 100 | sort -_time

I did the test a little differently, but I just prefer positive tests to negative tests in most cases.

And as @aljohnson points out, there isn't a reason for a separate where command - you should put all the conditions in the initial search if possible.

Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎07-13-2015 09:24 AM

Hey Lisa,

Could you expand at all on why you choose to pipe to where to filter on the counter value - rather than just using search like

counter="*" index=* counter<=100

I'm wondering if there is a performance difference I am missing.

Reply

lguinn2
Legend
‎07-14-2015 09:49 AM

You are right - your solution is more efficient and more "Splunk"! I was too focused on the question of "what is the field name"

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...