Solved: Removing values from a field

gagareg · ‎02-10-2020

how to remove values from fields highlighted in red

index=main | eval description=case(status == 200, "OK", status == 404, "Not found", status == 500, "Internal Server Error", status == 503, "Service Unavailable", status == 406, "Not Acceptable", status == 400, "Bad Request ", status == 408, "Request Timeout", status == 505, "HTTP Version Not Supported", status == 403, "Forbidden") | table _time status description | where isnotnull(status) | dedup status

vnravikumar · ‎02-10-2020

Hi

Try with below

your query.... |where NOT status IN ("deferred","sent","expired","bounced")

View solution in original post

to4kawa · ‎02-10-2020

index=main 
| eval description=case(status == 200, "OK", status == 404, "Not found", status == 500, "Internal Server Error", status == 503, "Service Unavailable", status == 406, "Not Acceptable", status == 400, "Bad Request ", status == 408, "Request Timeout", status == 505, "HTTP Version Not Supported", status == 403, "Forbidden", true(), NULL)
| table _time status description
| where isnotnull(description) 
| dedup status

gagareg · ‎02-10-2020

Unfortunately, it does not work for me. But thank you for answering

vnravikumar · ‎02-10-2020

Hi

Try with below

your query.... |where NOT status IN ("deferred","sent","expired","bounced")

gagareg · ‎02-10-2020

Thanks. It's working

Removing values from a field

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)