topic How to remove a column if only one column exists from a search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-remove-a-column-if-only-one-column-exists-from-a-search/m-p/408964#M118022 <P>I have a timechart that shows the timechart of errors in a timeframe. </P> <P><CODE>index=......| eval error=if(apiHttpStatus!=200, apiErrorCode, "Success")<BR /> | bin span=1m _time<BR /> | stats count by _time, error <BR /> | eventstats sum(count) as total by _time <BR /> | eval perc=round((count*100)/total,2)<BR /> | timechart span=1m values(perc) by error</CODE></P> <P>This correctly displays the timechart of the error in the given timeframe. However, I want to remove successes from the final view, but not from the count. If an error occurs 1% of the time, I don't want to see in the view that 99% of events are successes, but I can't filter out successes from the initial search. I've done this by adding</P> <P><CODE>| timechart span=1m values(perc) by error<BR /> | fields - Success</CODE></P> <P>After the timechart. However, this leads to the odd situation where if I have had no errors in the time window, the result is a table of time and nothing else, resulting in a weird visual. How do I remove all data (resulting in no results found) if the only results are successes?</P> Wed, 23 May 2018 21:20:49 GMT brajaram 2018-05-23T21:20:49Z How to remove a column if only one column exists from a search? https://community.splunk.com/t5/Splunk-Search/How-to-remove-a-column-if-only-one-column-exists-from-a-search/m-p/408964#M118022 <P>I have a timechart that shows the timechart of errors in a timeframe. </P> <P><CODE>index=......| eval error=if(apiHttpStatus!=200, apiErrorCode, "Success")<BR /> | bin span=1m _time<BR /> | stats count by _time, error <BR /> | eventstats sum(count) as total by _time <BR /> | eval perc=round((count*100)/total,2)<BR /> | timechart span=1m values(perc) by error</CODE></P> <P>This correctly displays the timechart of the error in the given timeframe. However, I want to remove successes from the final view, but not from the count. If an error occurs 1% of the time, I don't want to see in the view that 99% of events are successes, but I can't filter out successes from the initial search. I've done this by adding</P> <P><CODE>| timechart span=1m values(perc) by error<BR /> | fields - Success</CODE></P> <P>After the timechart. However, this leads to the odd situation where if I have had no errors in the time window, the result is a table of time and nothing else, resulting in a weird visual. How do I remove all data (resulting in no results found) if the only results are successes?</P> Wed, 23 May 2018 21:20:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-a-column-if-only-one-column-exists-from-a-search/m-p/408964#M118022 brajaram 2018-05-23T21:20:49Z Re: How to remove a column if only one column exists from a search? https://community.splunk.com/t5/Splunk-Search/How-to-remove-a-column-if-only-one-column-exists-from-a-search/m-p/408965#M118023 <P>Found a really simple solution, feel dumb now. Just need to append <CODE>| search error!=Success</CODE></P> <P><CODE>index=......| eval error=if(apiHttpStatus!=200, apiErrorCode, "Success") | bin span=1m _time | stats count by _time, error | eventstats sum(count) as total by _time | eval perc=round((count*100)/total,2) | search error!=Success| timechart span=1m values(perc) by error</CODE></P> Wed, 23 May 2018 22:34:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-a-column-if-only-one-column-exists-from-a-search/m-p/408965#M118023 brajaram 2018-05-23T22:34:48Z