Solved: filter a table result

trifledalliance · ‎10-20-2023

Hi - i'm not great at Splunk and am struggling with this one:

I have this search result in table form

I'd like to filter out any servers that have status deleted so for the example i'd like

Thanks for any help.

richgalloway · ‎10-20-2023

Using just the where command to filter results just removes one Server1 event rather than all of them.

Instead, you can use the eventstats command to associated the Deleted status with all events from the same server. Then filter on that association.

| eventstats count(eval(Status="Deleted")) as is_deleted by Name
| where is_deleted=1
| fields - is_deleted

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-20-2023

Using just the where command to filter results just removes one Server1 event rather than all of them.

Instead, you can use the eventstats command to associated the Deleted status with all events from the same server. Then filter on that association.

| eventstats count(eval(Status="Deleted")) as is_deleted by Name
| where is_deleted=1
| fields - is_deleted

---
If this reply helps you, Karma would be appreciated.

trifledalliance · ‎10-24-2023

That works nicely thanks @richgalloway I just had to tweak the where to get the list of undeleted.

| eventstats count(eval(Status="Deleted")) as is_deleted by Name
| where is_deleted=0 | table Name is_deleted Status

filter a table result