_time A B C D
6:05 1 1 5 8
6:10 0 3 2 2
6:15 5 0 6 2
6:20 8 9 2 7
6:25 9 2 4 5
6:30 6 7 2 8
Hi, I have a table in a dashboard where time is broken up into 5 min bins.
What I’m trying to do is eliminate all rows based on the value of a cell in a column.
In my case, if any value in column A (above table) equals 0 I want the whole row to not be displayed.
In the table above the row of 6:10 would be removed, and the table should be as follows:
_time A B C D
6:05 1 1 5 8
6:15 5 0 6 2
6:20 8 9 2 7
6:25 9 2 4 5
6:30 6 7 2 8
I’ve tried using | where
clause but it did not work.
Is there a way to accomplish this?
index=XX sourcetype=XX (earliest=$earliestTime$ latest=$latestTime$) OR (earliest=$earliestTime1$ latest=$latestTime1$) OR (earliest=$earliestTime2$ latest=$latestTime2$) OR (earliest=$earliestTime3$ latest=$latestTime3$) OR (earliest=$earliestTime4$ latest=$latestTime4$)
| streamstats values(eval(strftime(_time,"%m%d"))) as label
| bin span=5m _time
| streamstats values(eval(strftime(_time,"%H:%M:%S"))) as time
| chart dc(ecn) over time by label
| where time!=$click.value$
What about this query?
You have to put "nothing" in $click.value$
in <init>
whats your search query?
Below is the source code
XX
<input type="time" token="time_finder" searchWhenChanged="true">
<label>Time Picker</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
<change>
<eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest),"-0d")</eval>
<eval token="latestTime">if(isstr(latest), relative_time(now(),latest), "-0d")</eval>
<eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
<eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
<eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
<eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
<eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
<eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
<eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
<eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
</change>
</input>
<panel>
<title>XX</title>
<table>
<title></title>
<search>
<query>| multisearch
[ search index=XX sourcetype=XX earliest=$earliestTime$ latest=$latestTime$
| eval label="XX"
| fields -_raw _time ecn label ]
[ search index=XX sourcetype=XX earliest=$earliestTime1$ latest=$latestTime1$
| eval _time=_time+60*60*24*7
| eval label="XX"
| fields -_raw _time ecn label ]
[ search index=XX sourcetype=XX earliest=$earliestTime2$ latest=$latestTime2$
| eval _time=_time+60*60*24*14
| eval label="XX"
| fields -_raw _time ecn label ]
[ search index=XX sourcetype=XX earliest=$earliestTime3$ latest=$latestTime3$
| eval _time=_time+60*60*24*21
| eval label="XX"
| fields -_raw _time ecn label ]
[ search index=XX sourcetype=XX earliest=$earliestTime4$ latest=$latestTime4$
| eval _time=_time+60*60*24*28
| eval label="XX"
| fields -_raw _time ecn label]
| bin _time span=5m
| chart dc(ecn) over _time by label
| eval ....
| eval ....
| eval ....
| eval ....
| eval ....
| fields ...
10
none
progressbar
false
0
0
0
0
false
0
0
0
0
0
0
false
0
0
0
0
Presuming you have some search that generates your table ... try this:
index=ndx sourcetype=srctp A=* B=* C=* D=*
| bin _time span=5m
| stats sum(A) as A sum(B) as B sum(C) as C sum(D) as D by somefield
| search A>0
The | search A>0
will throw-out any events from the stats
results that have a 0 (or less than 0) in the A column