Splunk Search

How to remove results which are 0 in my timechart search?

khilawar4
Engager

I am trying to find out the index usage per day and getting total usage at the end as well. but if i want to remove all the column from search result which are 0. how to do that?

index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| eval totalMB = kb /1024
| eval totalGB = round(totalMB /1024, 2)
| timechart useother=f limit=0 span=1d sum(totalGB) as total by series  |addtotals fieldname=TotaldailyUsageinGB
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| eval totalGB = round(kb /1024/1024,2)
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

View solution in original post

0 Karma

rjthibod
Champion

Try this

| index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| bin _time span=1d
| chart limit=0 eval(round(sum(kb)/1024/1024,2)) by _time series
| foreach * [eval "<<FIELD>>" = if (isnull('<<FIELD>>') OR '<<FIELD>>' = 0, null(), '<<FIELD>>')]
| addtotals fieldname=TotaldailyUsageinGB
0 Karma

dbcase
Motivator

How about this?

 index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
 | eval totalMB = kb /1024
 | eval totalGB = round(totalMB /1024, 2)
 | timechart useother=f limit=0 span=1d sum(totalGB) as total by series  |where total>0|addtotals fieldname=TotaldailyUsageinGB
0 Karma

khilawar4
Engager

thx for the comment .
your query doesn't give result somehow but below query works.

below query worked for me , added "where" condition.

index=internal metrics kb group="per_index_thruput" NOT series=* NOT series="summary" host=appblx
| eval totalGB = round(kb/1024/1024,2) | where totalGB > 0
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

0 Karma

somesoni2
Revered Legend

Give this a try

index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| eval totalGB = round(kb /1024/1024,2)
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB
0 Karma

khilawar4
Engager

Still same.

0 Karma

khilawar4
Engager

below query worked for me , added "where" condition.

index=internal metrics kb group="per_index_thruput" NOT series=* NOT series="summary" host=appblx
| eval totalGB = round(kb/1024/1024,2) | where totalGB > 0
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

0 Karma

DalJeanis
Legend

Depends on what you mean. Are you trying to remove series whose values are zero, or remove dates which have no activity, or what?

0 Karma

khilawar4
Engager

I am trying to remove output columns (series) whose values are 0

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...