Limiting timechart span to only include values > 0

ericrobinson · ‎03-02-2011

I have a search that is returning the value of a field called num_oracle_batch. I am using the following to get a per_minute count of the number of batches:

timechart span=1m per_minute(num_oracle_batch)

My question is, how can I limit the timechart to only show where the value of num_oracle_batch is an actual number. As it stands, if I choose today from the timepicker, my Y axis is the entire day even though I only had matching search results in only a few minutes in the 9 oclock hour.

So in short, can I dynamically set my timerange based on event results?

David · ‎03-02-2011

You can add cont=f to the timechart options, making the chart not continuous. With that, your timechart becomes:

timechart span=1m per_minute(num_oracle_batch) cont=f

(From: http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart#Arguments)

Let me know if that doesn't work.

David · ‎03-03-2011

My pleasure. I'd had the same question before, but had never looked up the answer. It's good to know!

ericrobinson · ‎03-03-2011

Thats exactly what I was looking for. I have been struggling with sub-searches and where clauses to get what I was looking for.

THANKS!

Limiting timechart span to only include values > 0

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM