Solved: Re: Removing some results from stats count by func...

DCUpro · ‎08-19-2020

Hi all,

I'm a bit of a newbie to splunk but I was trying to create a dashboard using the stats count by function for a field called 'Labels'

Within the labels field you can have multiple labels. An example would be:

Log1: Field name(Labels): RCA_Required, Sev1
Log2: Field name(Labels): RCA_Required, Sev2, Med_Ex
Log3: Field name(Labels): Sev2

if I use the the function 'stats count by', I'll get:

RCA_Required: 2
Sev2: 2
Med_Ex: 1
Sev1: 1

My question is how can I remove 'RCA_Required' from the list without removing that log or missing the rest of the labels associated with that log.

My expected results would be:

Sev2: 2
Med_Ex: 1
Sev1: 1

Thank you.

gcusello · ‎08-19-2020

after the stats count row, add a condition that filters results, something like this:

| search NOT Labels="RCA_Required"

Ciao.

Giuseppe

gcusello · ‎08-19-2020

after the stats count row, add a condition that filters results, something like this:

| search NOT Labels="RCA_Required"

Ciao.

Giuseppe

DCUpro · ‎08-19-2020

@gcusello Thank you

This is exactly what I'm looking for.

Removing some results from stats count by function