Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to remove a row in a table

kishan2356
Explorer
‎11-12-2019 12:35 PM

_time A B C D
6:05 1 1 5 8
6:10 0 3 2 2
6:15 5 0 6 2
6:20 8 9 2 7
6:25 9 2 4 5
6:30 6 7 2 8

Hi, I have a table in a dashboard where time is broken up into 5 min bins.
What I’m trying to do is eliminate all rows based on the value of a cell in a column.
In my case, if any value in column A (above table) equals 0 I want the whole row to not be displayed.
In the table above the row of 6:10 would be removed, and the table should be as follows:

_time A B C D
6:05 1 1 5 8
6:15 5 0 6 2
6:20 8 9 2 7
6:25 9 2 4 5
6:30 6 7 2 8

I’ve tried using | where clause but it did not work.
Is there a way to accomplish this?

Tags (5)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-02-2019 04:24 AM 
index=XX sourcetype=XX  (earliest=$earliestTime$ latest=$latestTime$) OR (earliest=$earliestTime1$ latest=$latestTime1$) OR (earliest=$earliestTime2$ latest=$latestTime2$) OR (earliest=$earliestTime3$ latest=$latestTime3$) OR (earliest=$earliestTime4$ latest=$latestTime4$)
| streamstats values(eval(strftime(_time,"%m%d"))) as label
| bin span=5m _time
| streamstats values(eval(strftime(_time,"%H:%M:%S"))) as time
| chart dc(ecn) over time by label
| where time!=$click.value$

What about this query?

You have to put "nothing" in $click.value$ in <init>

0 Karma
Reply

mayurr98
Super Champion
‎11-12-2019 01:29 PM

whats your search query?

0 Karma
Reply

kishan2356
Explorer
‎11-12-2019 01:58 PM

Below is the source code

XX

<input type="time" token="time_finder" searchWhenChanged="true">
  <label>Time Picker</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest),"-0d")</eval>
    <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), "-0d")</eval>
    <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
    <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
    <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
    <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
    <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
    <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
    <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
    <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
  </change>
</input>


<panel>
  <title>XX</title>
  <table>
    <title></title>
    <search>
      <query>| multisearch 
[ search index=XX sourcetype=XX earliest=$earliestTime$ latest=$latestTime$ 
| eval label="XX"  
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$ 
| eval _time=_time+60*60*24*7 
| eval label="XX" 
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$ 
| eval _time=_time+60*60*24*14 
| eval label="XX" 
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime3$ latest=$latestTime3$ 
| eval _time=_time+60*60*24*21 
| eval label="XX" 
| fields -_raw _time ecn label ] 
[ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$ 
| eval _time=_time+60*60*24*28 
| eval label="XX" 
| fields -_raw _time ecn label]

| bin _time span=5m
| chart dc(ecn) over _time by label
| eval ....
| eval ....
| eval ....
| eval ....
| eval ....
| fields ...
$time_finder.earliest$
$time_finder.latest$

10
none
progressbar
false

0


0


0


0
false


0


0


0


0


0


0
false


0


0


0


0


0 Karma
Reply

wmyersas
Builder
‎11-12-2019 01:13 PM

Presuming you have some search that generates your table ... try this:

index=ndx sourcetype=srctp A=* B=* C=* D=*
| bin _time span=5m
| stats sum(A) as A sum(B) as B sum(C) as C sum(D) as D by somefield
| search A>0

The | search A>0 will throw-out any events from the stats results that have a 0 (or less than 0) in the A column

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...