https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64822#M16001 <P>I have a search that returns number of apache processes per host:</P> <P>sourcetype="ps" earliest="-7m" | multikv filter apache | search USER="apache" | timechart span=30s count as linecount_apache by host</P> <P>However, this results in 0 values for some hosts for last or first rows when, presumably, some data is out of range or isn't available yet. What would be the best way to hide or replace these 0s with nulls so they are not displayed on the report? Piping to eval or replace like this:</P> <P>| eval linecount_apache=if(linecount_apache==0,null,linecount_apache)</P> <P>seemed to have no effect on the result. Thank you.</P> Mon, 28 Sep 2020 09:49:58 GMT zdavitiani_splu 2020-09-28T09:49:58Z https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64822#M16001 <P>I have a search that returns number of apache processes per host:</P> <P>sourcetype="ps" earliest="-7m" | multikv filter apache | search USER="apache" | timechart span=30s count as linecount_apache by host</P> <P>However, this results in 0 values for some hosts for last or first rows when, presumably, some data is out of range or isn't available yet. What would be the best way to hide or replace these 0s with nulls so they are not displayed on the report? Piping to eval or replace like this:</P> <P>| eval linecount_apache=if(linecount_apache==0,null,linecount_apache)</P> <P>seemed to have no effect on the result. Thank you.</P> Mon, 28 Sep 2020 09:49:58 GMT https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64822#M16001 zdavitiani_splu 2020-09-28T09:49:58Z https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64823#M16002 <P>Hi! You can use the fillnull command, as described in this topic:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull</A></P> <P>to fill the empty field values with NULL:</P> <PRE><CODE>... | fillnull value=NULL </CODE></PRE> <P>before the timechart command, for example:</P> <PRE><CODE>... | fillnull linecount_apache=NULL | timechart span=30s count as linecount_apache by host </CODE></PRE> <P>Hope this helps!</P> Thu, 25 Aug 2011 18:37:10 GMT https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64823#M16002 sophy 2011-08-25T18:37:10Z https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64824#M16003 <P>Use the 'partial' argument to timechart:</P> <PRE><CODE>| timechart span=30s count as linecount_apache by host partial=f </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart</A></P> <PRE><CODE>partial Syntax: partial=&lt;bool&gt; Description: Controls if partial time buckets should be retained or not. Only the first and last bucket could ever be partial. Defaults to True|T, meaning that they are retained. </CODE></PRE> Thu, 25 Aug 2011 20:32:00 GMT https://community.splunk.com/t5/Splunk-Search/replace-or-hide-aggregate-0s-in-timechart/m-p/64824#M16003 araitz 2011-08-25T20:32:00Z