How to prevent a search result from being displaye...

joseph_trinidad · ‎07-12-2015

Hi Splunk Experts,

Currently I am creating a dashboard panel wherein I have to filter the results in my table based on its value.
For example, if the value reaches above 100, it should not be displayed in the table.
What happens is, once the value reaches above 100, the last value is retained.
I expect it to disappear because it does not meet the value limit.
Here is what I have done so far:

counter="*" index=* | where NOT Value > 100 | sort -_time

Thanks!

lguinn2 · ‎07-13-2015

[Edited based on the comment]
I may not understand your question, but here goes...

Value must be the actual name of a field - is the field named Value or counter or something else? Is there more than one field that needs to be tested?

For example, if the field is named counter:

counter="*" index=*  counter <= 100 | sort -_time

I did the test a little differently, but I just prefer positive tests to negative tests in most cases.

And as @aljohnson points out, there isn't a reason for a separate where command - you should put all the conditions in the initial search if possible.

aljohnson_splun · ‎07-13-2015

Hey Lisa,

Could you expand at all on why you choose to pipe to where to filter on the counter value - rather than just using search like

counter="*" index=* counter<=100

I'm wondering if there is a performance difference I am missing.

lguinn2 · ‎07-14-2015

You are right - your solution is more efficient and more "Splunk"! I was too focused on the question of "what is the field name"

How to prevent a search result from being displayed on a table in a dashboard panel based on its value?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life