Splunk Search

How to remove unwanted row base on condition of column data?

324981
Explorer

Hi, I am new in Splunk, 

if I want to remove the display of all column field for T9_LotID_LaneA,T9_LotID_LaneB,T9_LotIB_LaneC,T9_LotID_LaneD, was empty or null value

 

my base search:

OWA03 AND ID = "T9 Hot DI Air Temp.(Upper Chamber) HTC5.1 PV" OR ID = "T9 Hot DI Humidity PV" OR ID = "T9 Hot DI N2 Diffuser Temp.HTC4.1 PV" OR ID = "T9 Hot DI Water Process Temp.HTC2.1 PV" OR ID = "T9_LotID_LaneA" OR ID = "T9_LotID_LaneB" OR ID = "T9_LotID_LaneC" OR ID = "T9_LotID_LaneD"
|timechart span=3s cont=false latest(Value) by ID

the results:

 

324981_1-1656040484028.png

please advise ,

Thanks

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Yes, these fields hold non-numerics (strings) so comparing to "0" makes more sense although perhaps using != "" would be more appropriate?

View solution in original post

324981
Explorer

it work well now. Thanks for the help.

0 Karma

324981
Explorer

below is the column field that I want to filter:

(((ID = "T9_LotID_LaneA" AND Value >0 AND Value!="03_Dummy")) OR ((ID = "T9_LotID_LaneB" AND Value >0 AND Value!="03_Dummy")) OR ((ID = "T9_LotID_LaneC" AND Value >0 AND Value!="03_Dummy")) OR ((ID = "T9_LotID_LaneD" AND Value >0 AND Value!="03_Dummy")))

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

OWA03 AND ID = "T9 Hot DI Air Temp.(Upper Chamber) HTC5.1 PV" OR ID = "T9 Hot DI Humidity PV" OR ID = "T9 Hot DI N2 Diffuser Temp.HTC4.1 PV" OR ID = "T9 Hot DI Water Process Temp.HTC2.1 PV" OR ID = "T9_LotID_LaneA" OR ID = "T9_LotID_LaneB" OR ID = "T9_LotID_LaneC" OR ID = "T9_LotID_LaneD"
|timechart span=3s cont=false latest(Value) by ID
| where (T9_LotID_LaneA >0 AND T9_LotID_LaneA !="03_Dummy") OR (T9_LotID_LaneB >0 AND T9_LotID_LaneB !="03_Dummy") OR (T9_LotID_LaneC >0 AND T9_LotID_LaneC !="03_Dummy") OR (T9_LotID_LaneD >0 AND T9_LotID_LaneD !="03_Dummy")
0 Karma

324981
Explorer

Hi ITWhisperer,

Thank you for your help.

the result : show empty. but after I change from >0 to >" 0" it show the results. What does it mean from >0 to >"0" is it for integer value and string value ?

OWA03 AND ID = "T9 Hot DI Air Temp.(Upper Chamber) HTC5.1 PV" OR ID = "T9 Hot DI Humidity PV" OR ID = "T9 Hot DI N2 Diffuser Temp.HTC4.1 PV" OR ID = "T9 Hot DI Water Process Temp.HTC2.1 PV" OR ID = "T9_LotID_LaneA" OR ID = "T9_LotID_LaneB" OR ID = "T9_LotID_LaneC" OR ID = "T9_LotID_LaneD"
|timechart span=3s cont=false latest(Value) by ID
| where (T9_LotID_LaneA >"0" AND T9_LotID_LaneA !="03_Dummy") OR (T9_LotID_LaneB >"0" AND ID.T9_LotID_LaneB !="03_Dummy") OR (T9_LotID_LaneC >"0" AND T9_LotID_LaneC !="03_Dummy") OR (T9_LotID_LaneD >"0" AND T9_LotID_LaneD !="03_Dummy")

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, these fields hold non-numerics (strings) so comparing to "0" makes more sense although perhaps using != "" would be more appropriate?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...