Hi Splunk Experts,
Currently I am creating a dashboard panel wherein I have to filter the results in my table based on its value.
For example, if the value reaches above 100, it should not be displayed in the table.
What happens is, once the value reaches above 100, the last value is retained.
I expect it to disappear because it does not meet the value limit.
Here is what I have done so far:
counter="*" index=* | where NOT Value > 100 | sort -_time
Thanks!
[Edited based on the comment]
I may not understand your question, but here goes...
Value
must be the actual name of a field - is the field named Value
or counter
or something else? Is there more than one field that needs to be tested?
For example, if the field is named counter
:
counter="*" index=* counter <= 100 | sort -_time
I did the test a little differently, but I just prefer positive tests to negative tests in most cases.
And as @aljohnson points out, there isn't a reason for a separate where
command - you should put all the conditions in the initial search if possible.
Hey Lisa,
Could you expand at all on why you choose to pipe to where
to filter on the counter
value - rather than just using search like
counter="*" index=* counter<=100
I'm wondering if there is a performance difference I am missing.
You are right - your solution is more efficient and more "Splunk"! I was too focused on the question of "what is the field name"