I am applying few conditions and logic to come up with values for different fields. I'm then displaying them using teh table command, like -
| table field1 field2 field3 etc
I now want to display this table with a condition like the table should display only those rows where a field has a particular value. Ex - Display only those rows where field2="testvaluexyz". something like - SELECT FIELD1, FIELD2, FIELD3 FROM TABLE1 WHERE FIELD2="testvaluexyz"
I'm trying with the below command after table command and getting any result.
|fields - field2| where field2 != "testvaluexyz"
I can guess this may not be the right way. Can someone please help achieve this?
the fields command will remove field2 so your where clause has nothing to compare so just flip the order
| table field1 field2 field3 etc | where field2 != "testvaluexyz" | fields - field2
That's what the
fields - field2 command does. I assumed you wanted to remove it
I wanted to remove the non matching entries alone and not the complete field.
In your example you are removing field2 before using the filter
Have you tried out:
| search field2="testvaluexyz"
| table field1 field2 field3
In general you should filter as soon as possible. So if possible, filter it directly in the base search.
If you use the command
| fields - field2, this field isn't more available for searches, so the following
where command is always wrong!
you have to insert the search condition before the
| fields - field2 command.
Anyway it's a best practice to put all the conditions as left as you can and not after table command.
So try something like this:
index=your_index field2 != "testvaluexyz" | table field1 field2 field3
@cusello this would display the field with the non-matching values. the other way of what I needed. Just checked this as well with a small change -
|where field2 == "testvaluexyz"
|table field1 field2 field3
This worked fine, just the way it did when I tried | where after | table command.
Thank you too. Cheers. 🙂