Hi everybody!
In a Splunk Dashboard, I created a Bar Panel with this:
* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count
That's works fine! But I don't want to have the Property "U8_DOCUMENTTITLE" in my result....
So I have to change that:
stats count(U*) as U*
How can I ask "U* without U8_DOCUMENTTITLE" ?
Thanks to help me 😉
can you exclude anything that that field in your first search term?
* NOT U8_DOCUMENTTITLE=* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count
Or exclude it in the middle:
* | stats count(U*) as U* | transpose |search column!=U8_DOCUMENTTITLE |rename column AS Property "row 1" AS Count | SORT -Count
Try this
* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | search Property !="U8_DOCUMENTTITLE"
Hi Sundareshr!
Thanks for your answer, that 's work too, but Ryan was so fast 😉
Have a good day!
can you exclude anything that that field in your first search term?
* NOT U8_DOCUMENTTITLE=* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count
Or exclude it in the middle:
* | stats count(U*) as U* | transpose |search column!=U8_DOCUMENTTITLE |rename column AS Property "row 1" AS Count | SORT -Count
Hi Ryan!
Thanks a lot for your answer!
This code doesn't work:
* NOT U8_DOCUMENTTITLE=*
But this code works perfectly :
search column!=U1708_DOCUMENTTITLE
Thanks for your help!