Solved: Ignore rows without any values in timechart

rnvrnv · ‎03-06-2018

hi all,
I am trying to create a timechart of number of, for example errors in certain days. In result table i get list of all days. that is fine. what i would like to do now is only show row (day) where some data exist. Will appreciate your help.

regards,
rnv

niketn · ‎03-06-2018

@rnvrnv another option would be to use timechart with cont=f. Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d count as ERRORS cont=f

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-06-2018

@rnvrnv another option would be to use timechart with cont=f. Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d count as ERRORS cont=f

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

HiroshiSatoh · ‎03-06-2018

Try this!

(your search)
 | timechart span=1d count by XXX
↓
(your search)
 | bin _time span=1d
 | chart count over _time by XXX

Ignore rows without any values in timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!