Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove rows with Zero value?

auaave
Communicator
‎02-08-2018 09:17 PM

Hi guys,

I am making a dashboard with Error Duration per RobotId. Since the duration is in seconds, I rounded it to the nearest Minute. In doing this, if the error duration is less than 1 min the error duration is "0".

How can I get rid of the row where the description is equals to "0" duration?

Thanks a lot!

| eval DURATION=round(DURATION/60) 
| chart sum(DURATION) as "DURATION" over DESCRIPTION by ROBOTID
| addtotals | sort Total Desc
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-08-2018 09:24 PM

try this:

...|where DURATION!=0

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎02-10-2018 09:24 PM

Everyone, ** DURATION ** field will not be available in the sample search provided in the question since the chart command has over and by attributes which means the values for ROBOTIDs will be available as fields and not DURATION.

@auaave, You should try the following based on couple of search optimization techniques:

1) Use DURATION, DESCRIPTION and ROBOTID in your base search filter to ensure only events with the three fields present are filtered.
2) Use stats first before eval. This will have two advantages:
(i) Performance improvement as eval should be applied on aggregated data rather than all events.
(ii) DURATION field will be available for filtering. So search filter can be applied upfront to remove the unwanted data.

<YourBaseSearch> DURATION=* DESCRIPTION=* ROBOTID=*
 | stats sum(DURATION) as DURATION by DESCRIPTION ROBOTID
 | eval DURATION=round(DURATION/60) 
 | search DURATION!=0
 | chart sum(DURATION) as "DURATION" over DESCRIPTION by ROBOTID
 | addtotals row=t col=f fieldname=Total
 | fillnull value=0
 | sort - Total Desc

Other changes like fillnull and sort - Total I have suggested based on ideal use case but they are not mandatory to be implemented based on what you are trying to display to the users. For example without fillnull value=0 if you are usingtable, it will show null values. However, if you are using chart, there is a Format Visualization option to fill Null values while displaying the chart (line or area).

Following is a run anywhere search similar to the one in the question based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level=* component=*  date_second=*
| stats sum(date_second) as DURATION by component log_level
| eval DURATION=round(DURATION/60)
| search DURATION!=0
| chart sum(DURATION) as DURATION over component by log_level
| addtotals row=t col=f fieldname=Total
| fillnull value=0
| sort - Total component

Please try out and confirm. You can confirm the performance of this approach vs your current query in the Splunk Search Job Inspector. Do read the documentation on some of the query optimization techniques: http://docs.splunk.com/Documentation/Splunk/latest/Search/Quicktipsforoptimization

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

auaave
Communicator
‎02-12-2018 02:32 PM

@niketnilay, thanks a lot for your help and advise. Learned a lot from and you and the query works well. 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-13-2018 07:02 AM

Anytime @auaave, Splunk Answers is a wonderful community, it teaches us something everyday. Keep learning and keep helping others 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-08-2018 09:24 PM

try this:

...|where DURATION!=0
Reply
Solved! Jump to solution

SG
Path Finder
‎05-26-2021 04:45 AM

Thanks for this idea, this helped me to resolve this issue soon.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2018 04:56 PM

Couple of cycles less ; -) with DURATION!=0 | eval DURATION=round(DURATION/60) |where DURATION!=0

0 Karma
Reply
Solved! Jump to solution

auaave
Communicator
‎02-12-2018 02:31 PM

@ddrillic, thanks a lot for your help! 🙂

0 Karma
Reply
Solved! Jump to solution

auaave
Communicator
‎02-12-2018 02:30 PM

@ starcher, yes you are right! I have updated the title. Thanks a lot for your help.

0 Karma
Reply
Solved! Jump to solution

auaave
Communicator
‎02-08-2018 09:29 PM

@493669, thanks! I used where Total!=0 instead

0 Karma
Reply
Solved! Jump to solution

starcher
SplunkTrust
SplunkTrust
‎02-10-2018 10:31 AM

Just some additional information. The title of your post was about null values. Zero is a value. Null is no value at all. if you ever want to test strictly on null or not null without regards to value. 

... | where isnull(DURATION)

... | where isnotnull(DURATION)
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...