Solved: How to exclude field name from visualization?

rxtawell · ‎01-15-2020

Hello, I have a problem where my graphs on the dashboard are showing the field name as a counted type. (i.e. ROUTE) See picture.

There is no line that contains 'ROUTE:' in my data as I am using a CSV without headers. My headers are defined in my custom source type.

My search is: source="C:\QS1\WF_LD.CSV" | stats count by "ROUTE"

How can I remove this from the visualization?

Thanks!

to4kawa · ‎01-15-2020

source="C:\\QS1\\WF_LD.CSV" | stats count by "ROUTE"
|where isnotnull(ROUTE)

OR 

|where ROUTE!=""

hi, @rxtawell
At last, why not remove the line?

and Do you check the statistics ? what's the results?

dindu · ‎01-16-2020

Hi,

Could you please provide the sample data for this.
Also, please try the below SPL

Please try and update us whether this works.

| source="C:\\QS1\\WF_LD.CSV" 
|table ROUTE
|where isnotnull(ROUTE)
|stats count as route_count by ROUTE

to4kawa · ‎01-15-2020

source="C:\\QS1\\WF_LD.CSV" | stats count by "ROUTE"
|where isnotnull(ROUTE)

OR 

|where ROUTE!=""

hi, @rxtawell
At last, why not remove the line?

and Do you check the statistics ? what's the results?

rxtawell · ‎01-16-2020

Thank you, it was as simple as |where ROUTE!=""

richgalloway · ‎01-15-2020

You told Splunk to count the literal string "ROUTE" so that is what it did.

Try source="C:\\QS1\\WF_LD.CSV" | stats count by ROUTE

---
If this reply helps you, Karma would be appreciated.

rxtawell · ‎01-15-2020

Thank you for this. I tried this change but I get the same results.

How to exclude field name from visualization?