https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586079#M204165 <P>I received the same results... I may just try a different approach, i just feel like it shouldnt be this difficult</P> Tue, 22 Feb 2022 16:18:34 GMT mchristian 2022-02-22T16:18:34Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585621#M204039 <P>So I'm trying to chart blocked traffic(IPs) over 7 days... the purpose to help locate beaconing traffic (this has worked at a previous job but im taking it a step further by only wanting to see days with values.... example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mchristian_0-1645546811822.png" style="width: 680px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18074iE6E070A3F24FC96F/image-dimensions/680x153?v=v2" width="680" height="153" role="button" title="mchristian_0-1645546811822.png" alt="mchristian_0-1645546811822.png" /></span></P> <P>I would want to see results that only show, All days with values... Query works just see alot of days with 0 data</P> <P>Here's my query:</P> <P>index="pan_logs" sourcetype="pan:traffic" dest_zone="Public" src="10.11.16*" action=blocked<BR />| chart count(dest) by dest date_wday</P> Tue, 22 Feb 2022 17:15:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585621#M204039 mchristian 2022-02-22T17:15:52Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585623#M204040 <LI-CODE lang="markup">| foreach * [| eval &lt;&lt;FIELD&gt;&gt;=if(&lt;&lt;FIELD&gt;&gt;=0,null(),&lt;&lt;FIELD&gt;&gt;)]</LI-CODE> Thu, 17 Feb 2022 18:47:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585623#M204040 ITWhisperer 2022-02-17T18:47:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585627#M204042 <P>That didnt work, pretty much gave the same results, instead of 0 its giving a blank or NULL.</P> Thu, 17 Feb 2022 19:24:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585627#M204042 mchristian 2022-02-17T19:24:08Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585635#M204043 <P>Is that not what you wanted?</P> Thu, 17 Feb 2022 21:43:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585635#M204043 ITWhisperer 2022-02-17T21:43:23Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585701#M204066 <P>No i would only want to see results that have values for all days, like example 2.2.2.2</P> Fri, 18 Feb 2022 12:55:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585701#M204066 mchristian 2022-02-18T12:55:20Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585708#M204067 <LI-CODE lang="markup">| untable dest date_wday count | eventstats min(count) as minimum by dest | where minimum&gt;0 | xyseries dest date_wday count</LI-CODE> Fri, 18 Feb 2022 13:32:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585708#M204067 ITWhisperer 2022-02-18T13:32:13Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585718#M204070 <P>Give this a try</P><LI-CODE lang="markup">index="pan_logs" sourcetype="pan:traffic" dest_zone="Public" src="10.11.16*" action=blocked | chart count(dest) by dest date_wday | eval do_not_show=0 | foreach M* T* W* F* S* [| eval do_not_show= do_not_show+if('&lt;&lt;FIELD&gt;&gt;'==0,1,0)] | where do_not_show=0 | fields - do_not_show</LI-CODE> Fri, 18 Feb 2022 15:02:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/585718#M204070 somesoni2 2022-02-18T15:02:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586066#M204155 <P>Im still receiving 0 under days</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mchristian_0-1645544742715.png" style="width: 533px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18073iCA40C51814357A3B/image-dimensions/533x100?v=v2" width="533" height="100" role="button" title="mchristian_0-1645544742715.png" alt="mchristian_0-1645544742715.png" /></span></P><P>&nbsp;</P> Tue, 22 Feb 2022 15:45:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586066#M204155 mchristian 2022-02-22T15:45:56Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586070#M204157 <P>that didnt produce any results</P> Tue, 22 Feb 2022 15:54:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586070#M204157 mchristian 2022-02-22T15:54:14Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586072#M204159 <LI-CODE lang="markup">| makeresults | eval _raw="Dest IP,Monday,Tuesday,Wed,Thurs,Friday 1.1.1.1,5,3,0,0,0 2.2.2.2,3,3,3,3,3" | multikv forceheader=1 | table Dest_IP Monday Tuesday Wed Thurs Friday | untable Dest_IP date_wday count | eventstats min(count) as minimum by Dest_IP | where minimum&gt;0 | xyseries Dest_IP date_wday count</LI-CODE> Tue, 22 Feb 2022 15:58:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586072#M204159 ITWhisperer 2022-02-22T15:58:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586075#M204161 <P>Try this (accounting for case difference for field name)</P><LI-CODE lang="markup">index="pan_logs" sourcetype="pan:traffic" dest_zone="Public" src="10.11.16*" action=blocked | chart count(dest) by dest date_wday | eval do_not_show=0 | foreach M* m* T* t* W* w* F* f* S* s* [| eval do_not_show= do_not_show+if('&lt;&lt;FIELD&gt;&gt;'==0,1,0)] | where do_not_show=0 | fields - do_not_show</LI-CODE> Tue, 22 Feb 2022 16:01:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586075#M204161 somesoni2 2022-02-22T16:01:29Z https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586079#M204165 <P>I received the same results... I may just try a different approach, i just feel like it shouldnt be this difficult</P> Tue, 22 Feb 2022 16:18:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-chart-command-to-show-results-for-only-days-with/m-p/586079#M204165 mchristian 2022-02-22T16:18:34Z