Solved: How to remove null values from chart

stefan1988 · ‎02-08-2017

Hello,

How could I exclude rows where one out of two domains is showing a null value?

My search is:
| chart avg(time_taken) over uri by domainname

For example I get the following result

Uri | DomainA | DomainB

uri1 1.1 1.2
uri2 2.1
uri3 1.8 0.4

uri2 is having one null value. I would like to exclude the row for uri2.

Many thanks.

masonmorales · ‎02-08-2017

Try

... | eventstats dc(domainname) as doman_count | search domain_count>=2| chart avg(time_taken) over uri by domainname

View solution in original post

masonmorales · ‎02-08-2017

Try

... | eventstats dc(domainname) as doman_count | search domain_count>=2| chart avg(time_taken) over uri by domainname

stefan1988 · ‎02-08-2017

I've tried with eventstats, but I still see rows with null values.

starcher · ‎02-08-2017

if you simply want to drop rows with either column having a null. you could do something like

... | where isnotnull(DomainA) AND isnotnull(DomainB)

stefan1988 · ‎02-09-2017

Both DomainA and DomainB are values (and not fields). Found the answer, it's possible with the following search:

index=in_oracle_soa sourcetype=oracle_soa_server_accesslog NOT "#" | rex "(?<c_ip>[^\t]+)\t(?<datum>[^\t]+)\t(?<tijd>[^\t]+)\t(?<method>[^\t]+)\t(?<uri>[^\t]+)\t(?<status_code>[^\t]+)\t(?<bytes>[^\t]+)\t(?<time_taken>[^\t]+)" |stats avg(time_taken) as "avg" by uri domainname |eventstats dc(domainname) as uniqvalues by uri | where uniqvalues>1 |xyseries uri,domainname,avg

How to remove null values from chart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor