Solved: how to display only those rows with a particular v... - Page 2

sh254087 · ‎04-20-2018

I am applying few conditions and logic to come up with values for different fields. I'm then displaying them using teh table command, like -
| table field1 field2 field3 etc

I now want to display this table with a condition like the table should display only those rows where a field has a particular value. Ex - Display only those rows where field2="testvaluexyz". something like - SELECT FIELD1, FIELD2, FIELD3 FROM TABLE1 WHERE FIELD2="testvaluexyz"

I'm trying with the below command after table command and getting any result.
|fields - field2| where field2 != "testvaluexyz"

I can guess this may not be the right way. Can someone please help achieve this?

sh254087 · ‎04-20-2018

Just after posting this I got this resolved. Just came across an other question on the forum where someone had made a comparison(not similar to my problem but it helped) using ==, the opposite of how I was trying. Instead of removing fields which is having values not matching with my value, this would display only those rows with the values which would match my value. Somehow I did not think this way.

So the solution is (as simple as)-
| table field1 field2 field3
| where field2 == "testvaluexyz"

I probably did not know how all I could use the where condition! Lesson learned. 🙂

View solution in original post

how to display only those rows with a particular value in a particular value using |table command

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk