topic Re: How to remove a specific value from timechart? in All Apps and Add-ons

How to remove a specific value from timechart?

Sageth1 — Mon, 28 Sep 2020 20:25:36 GMT

I'm using the Nest for Splunk app and am trying to chart the number of power outages I have by duration. I've got the search working almost perfectly:

index=nest | fillnull value=NULL error_code |  addinfo | eval duration=(info_max_time - info_min_time) | timechart usenull=f useother=f cont=false span=30m count(duration) by error_code

This gives me the values that I'm looking for (namely error_code=E23) over time, but it also charts a value called "VALUE" which, from what I can tell, is just an empty value in the error_code field.

I can't figure out how to remove that VALUE entry to just show the valid error codes, which start with "E", "N" or "W." I tried using fillnull to make that entry null, and it doesn't break anything, but doesn't fix it. I also added the searches below, but they are definitely not what I'm looking for and I seem to lose the time/duration:
| where error_code != "" and
| where error_code != "VALUE"

The error_code entry in question looks to be like this in the events field:

equipment_type:  electric 
error_code: 
fan_control_state:  false

Any ideas what I'm missing?

Re: How to remove a specific value from timechart?

woodcock — Tue, 30 Jun 2015 16:21:21 GMT

Your search is certainly not what you think it is. I believe you are trying to do this:

index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code

Re: How to remove a specific value from timechart?

Sageth1 — Tue, 30 Jun 2015 16:25:17 GMT

Thanks for the insight. That gives me the same results (which is good because this is cleaner), but it still gives me the value of "VALUE" in the timechart

Re: How to remove a specific value from timechart?

woodcock — Tue, 30 Jun 2015 16:40:27 GMT

Is it a field called "VALUE" or a value of error_code? Try this for both at the same time

 index=nest | fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | table * | fields - VALUE | where error_code!="VALUE"

Re: How to remove a specific value from timechart?

Sageth1 — Tue, 30 Jun 2015 16:44:56 GMT

This wasn't exact, but it got me there. It was displaying as a value, but it was actually (apparently) a field. This query gave me no results, but I modified my original query and added fields - VALUE and that worked. Now just to tidy up and make a bit more efficient. Thanks for your help. I didn't know about the 'fields' command. Final result: index=nest error_code!="VALUE"| fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | fields - VALUE