topic Re: Get columns that have non-zero value columns over time (using timechart) in Splunk Search

Get columns that have non-zero value columns over time (using timechart)

sahil237888 — Fri, 14 Feb 2020 12:17:27 GMT

Hi Team,
Can anyone help me on this -
I want to Get columns that have non-zero values over time (using timechart).

_time Column1 Column2 Column3 Column4 Column5 Column N
2/14/2020 2:11 0 0 0 0 0 0
2/14/2020 2:12 0 0 0 0 0 0
2/14/2020 2:13 1 0 0 0 0 0
2/14/2020 2:14 0 0 1 0 0 0
2/14/2020 2:15 0 0 0 5 0 0
2/14/2020 2:16 0 0 0 0 0 0
2/14/2020 2:17 0 0 0 0 0 0
2/14/2020 2:18 0 0 0 0 0 0

The query I am using (But I am not able to remove zero value columns )

index=servers sourcetype=server_list Columns ="*"
| timechart span=1m count as Total by Columns
| where Columns > 0

Re: Get columns that have non-zero value columns over time (using timechart)

codebuilder — Fri, 14 Feb 2020 15:58:10 GMT

You just need to modify your search:

index=servers sourcetype=server_list Columns > 0
| timechart span=1m count as Total by Columns

You can test using the _internal index with the following (e.g.):

index=_internal max_size_kb > 0
| timechart span=1m count as Total by max_size_kb

Re: Get columns that have non-zero value columns over time (using timechart)

to4kawa — Fri, 14 Feb 2020 23:52:30 GMT

e.g.

index=_internal max_size_kb > 0
 | timechart span=1m count as Total by max_size_kb
 | foreach * [ eval check=max(check,'<<FIELD>>') ]
 | where check > 0

recommend:

index=servers sourcetype=server_list Columns > 0
| timechart span=1m count as Total by Columns
| foreach * [ eval check=max(check,'<<FIELD>>') ]
| where check > 0