Solved: How to remove results which are 0 in my timechart ...

khilawar4 · ‎01-23-2017

I am trying to find out the index usage per day and getting total usage at the end as well. but if i want to remove all the column from search result which are 0. how to do that?

index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| eval totalMB = kb /1024
| eval totalGB = round(totalMB /1024, 2)
| timechart useother=f limit=0 span=1d sum(totalGB) as total by series  |addtotals fieldname=TotaldailyUsageinGB

somesoni2 · ‎01-23-2017

Give this a try

index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| eval totalGB = round(kb /1024/1024,2)
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

View solution in original post

rjthibod · ‎01-23-2017

Try this

| index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| bin _time span=1d
| chart limit=0 eval(round(sum(kb)/1024/1024,2)) by _time series
| foreach * [eval "<<FIELD>>" = if (isnull('<<FIELD>>') OR '<<FIELD>>' = 0, null(), '<<FIELD>>')]
| addtotals fieldname=TotaldailyUsageinGB

dbcase · ‎01-23-2017

How about this?

 index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
 | eval totalMB = kb /1024
 | eval totalGB = round(totalMB /1024, 2)
 | timechart useother=f limit=0 span=1d sum(totalGB) as total by series  |where total>0|addtotals fieldname=TotaldailyUsageinGB

khilawar4 · ‎01-23-2017

thx for the comment .
your query doesn't give result somehow but below query works.

below query worked for me , added "where" condition.

index=internal metrics kb group="per_index_thruput" NOT series=* NOT series="summary" host=appblx
| eval totalGB = round(kb/1024/1024,2) | where totalGB > 0
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

somesoni2 · ‎01-23-2017

Give this a try

index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx*
| eval totalGB = round(kb /1024/1024,2)
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

khilawar4 · ‎01-23-2017

Still same.

khilawar4 · ‎01-23-2017

below query worked for me , added "where" condition.

index=internal metrics kb group="per_index_thruput" NOT series=* NOT series="summary" host=appblx
| eval totalGB = round(kb/1024/1024,2) | where totalGB > 0
| bucket span=1d _time
| chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB

DalJeanis · ‎01-23-2017

Depends on what you mean. Are you trying to remove series whose values are zero, or remove dates which have no activity, or what?

khilawar4 · ‎01-23-2017

I am trying to remove output columns (series) whose values are 0

How to remove results which are 0 in my timechart search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!