Timechart glich with column VALUE

gorosco · ‎05-19-2020

Got a cenario where timechart returned me a column named 'VALUE' where I don't have a value=VALUE in my logs as part of my by clause

index=xpto
| rename field as NormalizedField
| stats count by NormalizedField
| join type=inner NormalizedField
      [ inputlookup table.csv] `coment("This table has 150000 rows with 1 column to make a filter on NormalizedField")`
|  timechart sum(count) as count span=60m by NormalizedField usenull=f useother=f limit=10 partial=f

The results where something like this:

_time | 3.4 | 3.5 | 3.8 | 3.8.2 | 3.9.0 | 3.9.1 | VALUE

My Problem is why this "VALUE" column is there if my NormalizedField don't ever have this result?

If I just do another stats instead of timechart I don't see this "VALUE" as a row for my NormalizedField.
Any toughts?

maityayan1996 · ‎05-19-2020

In the top 10 value there is a field value like " "(NULL) for that one it is creating field call VALUE. You can modify your query like this way. You will get the output as expected. Please find the below image for your reference.

index=xpto
| rename field as NormalizedField
| stats count by NormalizedField
| join type=inner NormalizedField
[ inputlookup table.csv] coment("This table has 150000 rows with 1 column to make a filter on NormalizedField") | where isnotnull(NormalizedField)
| timechart sum(count) as count span=60m by NormalizedField usenull=f useother=f limit=10 partial=f

gorosco · ‎05-20-2020

I want precicely remove the VALUE column and I've made some filters do remove values where len(NormalizedField) < 2, just in case I had a field value like " " and I still got the problem.
As I know how many outputcolumns I should have I have narrow down the limit to that number to hide the column VALUE

Timechart glich with column VALUE

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases