Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using where with a wildcard

HattrickNZ
Motivator
‎11-27-2017 12:35 PM

I want to dynamically remove a number of columns/headers from my stats.
So my thinking is to use a wild card on the left of the comparison operator.
But this does not work

... | where "P-CSCF*">4

Sample Output: Say for example I just wanted to remove the columns P-CSCF-02 & P-CSCF-06 and have P-CSCF-05 and P-CSCF-07 showing. I would like to do it with something like ... | where "P-CSCF*">1 for example. I could use fields + option but that is static I want something dynamic.

_time                       P-CSCF-02   P-CSCF-05   P-CSCF-06   P-CSCF-07
2017-11-27T18:30:00.000+1300    1   2   0   6
2017-11-27T18:35:00.000+1300    0   2   0   6
2017-11-27T18:40:00.000+1300    0   2   0   6

EDIT1
This is my Desired Output with only 2 columns showing, the others omitted because they do not have any values > 1: 

_time                         P-CSCF-05 P-CSCF-07
2017-11-27T18:30:00.000+1300    2   6
2017-11-27T18:35:00.000+1300    2   6
2017-11-27T18:40:00.000+1300    2   6

Should I be using something like ... | WHERE like(source,"/logs/%/camel-audit.log")]

Not what I want but this is wildcarding on the RHS of the comparison operator ...|search version=*10_2*

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎11-28-2017 04:30 AM

You could try append the following to your time chart table:

| untable _time field count
| eventstats avg(count) as field_avg by field
| where field_avg > 1
| xyseries _time field count

That would remove all the field with an average lesser than 1. You can adjust depending on how you want to filter (use max, sum, min, etc.. instead of avg for example)

If you explain in more details when you want to remove a column, I could give you a more complete answer.

View solution in original post

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎11-28-2017 01:08 PM

Ahh, yes. I definitely misunderstood the request, sorry!

0 Karma
Reply
Solved! Jump to solution

mtulett_splunk
Splunk Employee
Splunk Employee
‎11-27-2017 02:56 PM

That's a very clean solution. I'm saving that in my book of tricks.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-27-2017 01:15 PM

How are you making it dymanic? A token?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-28-2017 01:19 PM

What's your current full search?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...