Splunk Search
Highlighted

how to display only those rows with a particular value in a particular value using |table command

Communicator

I am applying few conditions and logic to come up with values for different fields. I'm then displaying them using teh table command, like -
| table field1 field2 field3 etc

I now want to display this table with a condition like the table should display only those rows where a field has a particular value. Ex - Display only those rows where field2="testvaluexyz". something like - SELECT FIELD1, FIELD2, FIELD3 FROM TABLE1 WHERE FIELD2="testvaluexyz"

I'm trying with the below command after table command and getting any result.
|fields - field2| where field2 != "testvaluexyz"

I can guess this may not be the right way. Can someone please help achieve this?

0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Motivator

the fields command will remove field2 so your where clause has nothing to compare so just flip the order

| table field1 field2 field3 etc
| where field2 != "testvaluexyz"
| fields - field2 
0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Communicator

Tried this. This is removing the field2 completely.

0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Motivator

That's what the fields - field2 command does. I assumed you wanted to remove it

0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Communicator

I wanted to remove the non matching entries alone and not the complete field.

0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Communicator

@kmaron Thank you for the response. 🙂

0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Motivator

In your example you are removing field2 before using the filter

Have you tried out:

yourbase search
| search field2="testvaluexyz"
| table field1 field2 field3

In general you should filter as soon as possible. So if possible, filter it directly in the base search.

Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Communicator

@HeinzWaescher This as well worked fine. Thank you. 🙂

0 Karma
Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Legend

Hi sh254087,
If you use the command | fields - field2, this field isn't more available for searches, so the following where command is always wrong!
you have to insert the search condition before the | fields - field2 command.

Anyway it's a best practice to put all the conditions as left as you can and not after table command.
So try something like this:

index=your_index  field2 != "testvaluexyz"
| table field1 field2 field3

Bye.
Giuseppe

Highlighted

Re: how to display only those rows with a particular value in a particular value using |table command

Communicator

@cusello this would display the field with the non-matching values. the other way of what I needed. Just checked this as well with a small change -

|where field2 == "testvaluexyz"
|table field1 field2 field3

This worked fine, just the way it did when I tried | where after | table command.

Thank you too. Cheers. 🙂

0 Karma