All Apps and Add-ons

How to remove a specific value from timechart?

Sageth1
New Member

I'm using the Nest for Splunk app and am trying to chart the number of power outages I have by duration. I've got the search working almost perfectly:

index=nest | fillnull value=NULL error_code |  addinfo | eval duration=(info_max_time - info_min_time) | timechart usenull=f useother=f cont=false span=30m count(duration) by error_code

This gives me the values that I'm looking for (namely error_code=E23) over time, but it also charts a value called "VALUE" which, from what I can tell, is just an empty value in the error_code field.

I can't figure out how to remove that VALUE entry to just show the valid error codes, which start with "E", "N" or "W." I tried using fillnull to make that entry null, and it doesn't break anything, but doesn't fix it. I also added the searches below, but they are definitely not what I'm looking for and I seem to lose the time/duration:
| where error_code != "" and
| where error_code != "VALUE"

The error_code entry in question looks to be like this in the events field:

equipment_type:  electric 
error_code: 
fan_control_state:  false 

Any ideas what I'm missing?

0 Karma
1 Solution

woodcock
Esteemed Legend

Is it a field called "VALUE" or a value of error_code? Try this for both at the same time

 index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | table * | fields - VALUE | where error_code!="VALUE"

View solution in original post

woodcock
Esteemed Legend

Is it a field called "VALUE" or a value of error_code? Try this for both at the same time

 index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | table * | fields - VALUE | where error_code!="VALUE"

Sageth1
New Member

This wasn't exact, but it got me there. It was displaying as a value, but it was actually (apparently) a field. This query gave me no results, but I modified my original query and added fields - VALUE and that worked. Now just to tidy up and make a bit more efficient. Thanks for your help. I didn't know about the 'fields' command. Final result: index=nest error_code!="VALUE"| fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | fields - VALUE

0 Karma

woodcock
Esteemed Legend

Your search is certainly not what you think it is. I believe you are trying to do this:

index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code
0 Karma

Sageth1
New Member

Thanks for the insight. That gives me the same results (which is good because this is cleaner), but it still gives me the value of "VALUE" in the timechart

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...