https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363060#M107247 <P>@493669, thanks! I used where Total!=0 instead</P> Fri, 09 Feb 2018 05:29:21 GMT auaave 2018-02-09T05:29:21Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363058#M107245 <P>Hi guys,</P> <P>I am making a dashboard with Error Duration per RobotId. Since the duration is in seconds, I rounded it to the nearest Minute. In doing this, if the error duration is less than 1 min the error duration is "0".</P> <P>How can I get rid of the row where the description is equals to "0" duration? </P> <P>Thanks a lot!</P> <PRE><CODE>| eval DURATION=round(DURATION/60) | chart sum(DURATION) as "DURATION" over DESCRIPTION by ROBOTID | addtotals | sort Total Desc </CODE></PRE> Fri, 09 Feb 2018 05:17:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363058#M107245 auaave 2018-02-09T05:17:53Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363059#M107246 <P>try this:</P> <PRE><CODE>...|where DURATION!=0 </CODE></PRE> Fri, 09 Feb 2018 05:24:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363059#M107246 493669 2018-02-09T05:24:10Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363060#M107247 <P>@493669, thanks! I used where Total!=0 instead</P> Fri, 09 Feb 2018 05:29:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363060#M107247 auaave 2018-02-09T05:29:21Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363061#M107248 <P>Just some additional information. The title of your post was about null values. Zero is a value. Null is no value at all. if you ever want to test strictly on null or not null without regards to value. </P> <PRE><CODE>... | where isnull(DURATION) ... | where isnotnull(DURATION) </CODE></PRE> Sat, 10 Feb 2018 18:31:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363061#M107248 starcher 2018-02-10T18:31:03Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363062#M107249 <P>Couple of cycles less ; -) with <CODE>DURATION!=0 | eval DURATION=round(DURATION/60) |where DURATION!=0</CODE></P> Sun, 11 Feb 2018 00:56:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363062#M107249 ddrillic 2018-02-11T00:56:09Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363063#M107250 <P>Everyone, ** <CODE>DURATION</CODE> ** field will not be available in the sample search provided in the question since the <CODE>chart</CODE> command has <CODE>over</CODE> and <CODE>by</CODE> attributes which means the <CODE>values for ROBOTIDs</CODE> will be available as fields and <CODE>not DURATION</CODE>.</P> <P>@auaave, You should try the following based on couple of search optimization techniques:</P> <P>1) Use DURATION, DESCRIPTION and ROBOTID in your base search filter to ensure only events with the three fields present are filtered.<BR /> 2) Use stats first before eval. This will have two advantages:<BR /> (i) Performance improvement as eval should be applied on aggregated data rather than all events.<BR /> (ii) DURATION field will be available for filtering. So search filter can be applied upfront to remove the unwanted data.</P> <PRE><CODE>&lt;YourBaseSearch&gt; DURATION=* DESCRIPTION=* ROBOTID=* | stats sum(DURATION) as DURATION by DESCRIPTION ROBOTID | eval DURATION=round(DURATION/60) | search DURATION!=0 | chart sum(DURATION) as "DURATION" over DESCRIPTION by ROBOTID | addtotals row=t col=f fieldname=Total | fillnull value=0 | sort - Total Desc </CODE></PRE> <P>Other changes like <CODE>fillnull</CODE> and <CODE>sort - Total</CODE> I have suggested based on ideal use case but they are not mandatory to be implemented based on what you are trying to display to the users. For example without <CODE>fillnull value=0</CODE> if you are using<CODE>table</CODE>, it will show null values. However, if you are using chart, there is a <CODE>Format Visualization</CODE> option to fill <CODE>Null</CODE> values while displaying the chart (line or area).<BR /><BR /> Following is a run anywhere search similar to the one in the question based on Splunk's _internal index</P> <PRE><CODE>index=_internal sourcetype=splunkd log_level=* component=* date_second=* | stats sum(date_second) as DURATION by component log_level | eval DURATION=round(DURATION/60) | search DURATION!=0 | chart sum(DURATION) as DURATION over component by log_level | addtotals row=t col=f fieldname=Total | fillnull value=0 | sort - Total component </CODE></PRE> <P>Please try out and confirm. You can confirm the performance of this approach vs your current query in the Splunk Search Job Inspector. Do read the documentation on some of the query optimization techniques: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Quicktipsforoptimization">http://docs.splunk.com/Documentation/Splunk/latest/Search/Quicktipsforoptimization</A></P> Sun, 11 Feb 2018 05:24:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363063#M107250 niketn 2018-02-11T05:24:43Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363064#M107251 <P>@ starcher, yes you are right! I have updated the title. Thanks a lot for your help.</P> Mon, 12 Feb 2018 22:30:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363064#M107251 auaave 2018-02-12T22:30:38Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363065#M107252 <P>@ddrillic, thanks a lot for your help! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 12 Feb 2018 22:31:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363065#M107252 auaave 2018-02-12T22:31:26Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363066#M107253 <P>@niketnilay, thanks a lot for your help and advise. Learned a lot from and you and the query works well. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 12 Feb 2018 22:32:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363066#M107253 auaave 2018-02-12T22:32:49Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363067#M107254 <P>Anytime @auaave, Splunk Answers is a wonderful community, it teaches us something everyday. Keep learning and keep helping others <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 13 Feb 2018 15:02:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/363067#M107254 niketn 2018-02-13T15:02:03Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/553128#M157013 <P>Thanks for this idea, this helped me to resolve this issue soon.</P> Wed, 26 May 2021 11:45:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-rows-with-Zero-value/m-p/553128#M157013 SG 2021-05-26T11:45:35Z