Solved: How to delete rows in a table based on a field val...

leandrot · ‎04-05-2018

Hi all,

I have a table which displays data from a query, what I want to achieve is to delete entire rows if the value of a particular field is zero

Thanks in advance

Best regards

kmaron · ‎04-05-2018

I think it might have to do with your field name. I used a query of mine and when I renamed the field to a field name that required quotes the Where clause no longer worked.

Can you try changing your query to this:

index=a source=ab sourcetype=qm DESK=$desk_token$ 
|stats sum(PNR_COUNT) as TotalTicketsonQueue sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER 
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)" 
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number" 
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT TotalTicketsonQueue == "0"
| rename TotalTicketsonQueue as "Total Tickets on Queue"

View solution in original post

kmaron · ‎04-05-2018

I think it might have to do with your field name. I used a query of mine and when I renamed the field to a field name that required quotes the Where clause no longer worked.

Can you try changing your query to this:

index=a source=ab sourcetype=qm DESK=$desk_token$ 
|stats sum(PNR_COUNT) as TotalTicketsonQueue sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER 
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)" 
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number" 
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT TotalTicketsonQueue == "0"
| rename TotalTicketsonQueue as "Total Tickets on Queue"

leandrot · ‎04-05-2018

Many thanks!!! It worked!!

kmaron · ‎04-05-2018

Glad to hear it!!

shivamgoyal23 · ‎04-05-2018

I think this will be helpful:

https://answers.splunk.com/answers/498923/if-an-entry-exists-in-stats-remove-the-entire-line.html

kmaron · ‎04-05-2018

You just need to add a where clause.

| where NOT field==0

leandrot · ‎04-05-2018

Here is the query:

index=a source=ab sourcetype=qm DESK=$desk_token$
|stats sum(PNR_COUNT) as "Total Tickets on Queue" sum(AGENT_COUNT) as "Total Agents on Queue" max(OLDEST_Ticket) as "Oldest Ticket on Queue (mins)" by DESK,QUEUE_CITY,QUEUE_NUMBER
| replace "0" WITH " " IN "Total of Agents on Queue" "Oldest PNR on Queue (mins)"
|rename QUEUE_CITY as "Queue city", QUEUE_NUMBER as "Queue Number"
|rangemap field="Oldest PNR on Queue (mins)" low=1-22000 elevated=22001-35000 severe=35001-99999999 default=" "
|sort "Oldest PNR on Queue (mins)" desc
| where NOT "Total Tickets on Queue"=="0"

I already tried that but was not working

How to delete rows in a table based on a field value?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!