Splunk Search

Removing some results from stats count by function

DCUpro
Explorer

Hi all,

I'm a bit of a newbie to splunk but I was trying to create a dashboard using the stats count by function for a field called 'Labels'

Within the labels field you can have multiple labels. An example would be:

Log1: Field name(Labels): RCA_Required, Sev1
Log2: Field name(Labels): RCA_Required, Sev2, Med_Ex
Log3: Field name(Labels):  Sev2

if I use the the function 'stats count by', I'll get:

RCA_Required: 2
Sev2: 2
Med_Ex: 1
Sev1: 1

My question is how can I remove 'RCA_Required' from the list without removing that log or missing the rest of the labels associated with that log.

My expected results would be:

Sev2: 2
Med_Ex: 1
Sev1: 1

Thank you.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @DCUpro,

after the stats count row, add a condition that filters results, something like this:

| search NOT Labels="RCA_Required"

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @DCUpro,

after the stats count row, add a condition that filters results, something like this:

| search NOT Labels="RCA_Required"

Ciao.

Giuseppe

DCUpro
Explorer

@gcusello  Thank you

This is exactly what I'm looking for. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...