Splunk Search

Limiting timechart span to only include values > 0

ericrobinson
Path Finder

I have a search that is returning the value of a field called num_oracle_batch. I am using the following to get a per_minute count of the number of batches:

timechart span=1m per_minute(num_oracle_batch)

My question is, how can I limit the timechart to only show where the value of num_oracle_batch is an actual number. As it stands, if I choose today from the timepicker, my Y axis is the entire day even though I only had matching search results in only a few minutes in the 9 oclock hour.

So in short, can I dynamically set my timerange based on event results?

Tags (2)

David
Splunk Employee
Splunk Employee

You can add cont=f to the timechart options, making the chart not continuous. With that, your timechart becomes:

timechart span=1m per_minute(num_oracle_batch) cont=f

(From: http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart#Arguments)

Let me know if that doesn't work.

David
Splunk Employee
Splunk Employee

My pleasure. I'd had the same question before, but had never looked up the answer. It's good to know!

0 Karma

ericrobinson
Path Finder

Thats exactly what I was looking for. I have been struggling with sub-searches and where clauses to get what I was looking for.

THANKS!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...