Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

removing more than one field value conditionally

TaraAshley
Engager
‎03-01-2024 11:40 AM

I am working on a query that lists hosts and their corresponding instances. My results look like the example below. 

I want to only remove the 111222 host when the instance is R: from my results. I am not certain on how to do this within my query. 

HostInstance
111222A:
111222C:
111222R:
333444A:
333444C:
333444R:
Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-01-2024 12:43 PM

"111222 host when the instance is R:" is ambiguous.  You should include an illustration of desired results in a question.

1. The most literal interpretation is to only remove the row with host 111222 AND Instance R:.  In other words, you want

Instancehost
A:111222
C:111222
A:333444
C:333444
R:333444

For this, you can do 

 

 

| where NOT ( host == "111222" AND Instance == "R:")

 

 

BTW I don't think you should rename host to Host until everything is done.

2. But your context makes me suspect that you actually mean to remove host 111222 IF Instance R: runs on it and no matter what other instances are there.  In other words, you want

Instance
R_or_not_R
host
A:
A:
C:
R:
333444
C:
A:
C:
R:
333444
R:
A:
C:
R:
333444

For this, you need

 

 

| eventstats values(Instance) as R_or_not_R by host
| where host != "111222" OR R_or_not_R != "R:"​

 

 

Which one is it?

Here is an emulation

 

| makeresults format=csv data="host,	Instance
111222,	A:
111222,	C:
111222,	R:
333444,	A:
333444,	C:
333444,	R:"
``` data emulation above ```

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...