Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to filter out columns in a chart after using a lookup and addtotals

_jgpm_
Communicator
‎12-01-2016 12:32 PM

I lost all my previous text because I accidentally navigated away from the page so I'll be brief here. I'm using 6.4.3.

I used this pseudocode search command:

basicsearch | stats values(ID) by name | lookup file to extend chart | addtotals col=t fieldname=sum | foreach field [eval field_perc=calc a percentage]

This is where I'm stuck. I can't think of how to remove a column where the addtotals row = 0. My chart has 30 fields so I don't want to list them all. I've tried using

foreach field [ fields - if(does field==0, then field,otherwise null) ]

but it only erases the field itself, not the column.

I want to keep all the rows, but only reduce the columns down to the meaningful ones (i.e. nonzero columns).

I appreciate any suggestions. Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-01-2016 12:39 PM

Add this to your query

... | untable name fields data | where fields="row" AND data=0 | xyseries name fields data

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-01-2016 12:39 PM

Add this to your query

... | untable name fields data | where fields="row" AND data=0 | xyseries name fields data
Reply
Solved! Jump to solution

_jgpm_
Communicator
‎12-02-2016 07:34 AM

@sundareshr Thanks for showing me how to use untable and xyseries. I definitely think I will use those in the future. However, the where logic doesn't work as expected. I started down the rabbit hole of researching logic tables...but this problem is a trivial one for me and I think I will just do an eval to create a mvfield of row labels where the row sum = 0. That's all I really need.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...