Solved: How do I remove a particular row from my stats com...

avisriv · ‎10-01-2018

source="something_source" topic="something_topic1" OR topic="something_topic2" earliest = "-1d" client="cpu1305" | stats latest(msg) as Valuess by topic

Now, this search returns suppose like below:

**topic**                                                              **Valuess**
something_topic1                                                        3
something_topic2                                                        7

Here, if the value of something_topic1 is say 3, then i only want to display the row 'something_topic2', else I want to simply remove this row( 'something_topic2') from my stats result

harishalipaka · ‎10-02-2018

@avisri

Try below

| makeresults | eval topic="topic1",values=3 | append[| makeresults |eval topic="topic2",values=7 ] |eval topicx=if(topic="topic1" and values=3 ,"%","topic1") | eventstats first(topicx) as topicx |where topic like(topicx) |table topic values

Thanks
Harish

View solution in original post

harishalipaka · ‎10-02-2018

@avisri

Try below

| makeresults | eval topic="topic1",values=3 | append[| makeresults |eval topic="topic2",values=7 ] |eval topicx=if(topic="topic1" and values=3 ,"%","topic1") | eventstats first(topicx) as topicx |where topic like(topicx) |table topic values

Thanks
Harish

harishalipaka · ‎10-02-2018

Hi @avisri

Sorry, your accepted answer not reflected to my karma points. Can you please do it again

Thanks
Harish

How do I remove a particular row from my stats command based on the value of another row?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms