I'm using the Nest for Splunk app and am trying to chart the number of power outages I have by duration. I've got the search working almost perfectly:
index=nest | fillnull value=NULL error_code | addinfo | eval duration=(info_max_time - info_min_time) | timechart usenull=f useother=f cont=false span=30m count(duration) by error_code
This gives me the values that I'm looking for (namely error_code=E23) over time, but it also charts a value called "VALUE" which, from what I can tell, is just an empty value in the error_code field.
I can't figure out how to remove that VALUE entry to just show the valid error codes, which start with "E", "N" or "W." I tried using fillnull to make that entry null, and it doesn't break anything, but doesn't fix it. I also added the searches below, but they are definitely not what I'm looking for and I seem to lose the time/duration:
| where error_code != ""
and
| where error_code != "VALUE"
The error_code entry in question looks to be like this in the events field:
equipment_type: electric
error_code:
fan_control_state: false
Any ideas what I'm missing?
Is it a field
called "VALUE"
or a value
of error_code
? Try this for both at the same time
index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | table * | fields - VALUE | where error_code!="VALUE"
Is it a field
called "VALUE"
or a value
of error_code
? Try this for both at the same time
index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | table * | fields - VALUE | where error_code!="VALUE"
This wasn't exact, but it got me there. It was displaying as a value, but it was actually (apparently) a field. This query gave me no results, but I modified my original query and added fields - VALUE
and that worked. Now just to tidy up and make a bit more efficient. Thanks for your help. I didn't know about the 'fields' command. Final result: index=nest error_code!="VALUE"| fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | fields - VALUE
Your search is certainly not what you think it is. I believe you are trying to do this:
index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code
Thanks for the insight. That gives me the same results (which is good because this is cleaner), but it still gives me the value of "VALUE" in the timechart