Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter out results from report using "rex _raw" and "stats count(eval(match(AA,""))) AS "ABC"" and filter out results with "count=0"

srishtiarora
New Member
‎04-11-2017 01:26 PM

Hi,

I am looking to filter out the contents of Search results that is using rex, transpose and count.
we are having multiple results with count 0 and need to be removed from report as its occupying majority of dashboard.

Below is Command sample:

table  "_raw"  | rex  field=_raw "(?PCode1)"  | rex  field=_raw "(?PCode2)" | rex  field=_raw " (?PCode3) " | stats  count(eval(match(AA,"")))  AS "Message1",  count(eval(match(AB,".*"))) AS "Message2" ,  count(eval(match(AC,".*"))) AS "Message3" |transpose

i am not sure how i can filter out this as where count>0 is not working.

0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2017 01:48 PM

Firstly, to ensure the whole search/code/result that you add in your question is completely shown, you should select the query/code/result part and press Ctrl +K OR click on "101 100" button on top of the text box.

Please ensure that you confirm the rex portions and try this.

...your base search | table "_raw" | rex field=_raw "(?P<AA>Code1)" | rex field=_raw "(?P<AB>Code2)" | rex field=_raw " (?P<AC>Code3) " | stats count(eval(match(AA,""))) AS "Message1", count(eval(match(AB,"."))) AS "Message2" , count(eval(match(AC,"."))) AS "Message3" | eval temp=1 | untable temp Message Count | where count>0 | fields - temp

If an event only contains one Code (a row will have only one of AA, AB or AC, then try this version 

...your base search | table "_raw" | rex field=_raw "(?P<Message>(Code1|Code2|Code3))" | stats count by Message | where count>0
0 Karma
Reply

srishtiarora
New Member
‎04-11-2017 02:00 PM

The Code 1 to Code 3 and Message1 to message3 are just aliases as it cannot be shared, but they hold different values and there is no string with Message in them.
when I tried adding eval temp=1 | untable temp Message Count | where count>0 | fields - temp, it didn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...