https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250712#M74912 <P>Depends on what you mean. Are you trying to remove series whose values are zero, or remove dates which have no activity, or what?</P> Mon, 23 Jan 2017 21:03:52 GMT DalJeanis 2017-01-23T21:03:52Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250711#M74911 <P>I am trying to find out the index usage per day and getting total usage at the end as well. but if i want to remove all the column from search result which are 0. how to do that?</P> <PRE><CODE>index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx* | eval totalMB = kb /1024 | eval totalGB = round(totalMB /1024, 2) | timechart useother=f limit=0 span=1d sum(totalGB) as total by series |addtotals fieldname=TotaldailyUsageinGB </CODE></PRE> Mon, 23 Jan 2017 20:14:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250711#M74911 khilawar4 2017-01-23T20:14:44Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250712#M74912 <P>Depends on what you mean. Are you trying to remove series whose values are zero, or remove dates which have no activity, or what?</P> Mon, 23 Jan 2017 21:03:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250712#M74912 DalJeanis 2017-01-23T21:03:52Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250713#M74913 <P>I am trying to remove output columns (series) whose values are 0</P> Mon, 23 Jan 2017 21:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250713#M74913 khilawar4 2017-01-23T21:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250714#M74914 <P>Give this a try</P> <PRE><CODE>index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx* | eval totalGB = round(kb /1024/1024,2) | bucket span=1d _time | chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB </CODE></PRE> Mon, 23 Jan 2017 21:07:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250714#M74914 somesoni2 2017-01-23T21:07:32Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250715#M74915 <P>Still same.</P> Mon, 23 Jan 2017 21:14:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250715#M74915 khilawar4 2017-01-23T21:14:12Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250716#M74916 <P>below query worked for me , added "where" condition. </P> <P>index=<EM>internal metrics kb group="per_index_thruput" NOT series=</EM>* NOT series="<EM>summary</EM>" host=<EM>appblx</EM><BR /> | eval totalGB = round(kb/1024/1024,2) | where totalGB &gt; 0<BR /> | bucket span=1d _time <BR /> | chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB</P> Tue, 29 Sep 2020 12:31:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250716#M74916 khilawar4 2020-09-29T12:31:35Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250717#M74917 <P>How about this?</P> <PRE><CODE> index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx* | eval totalMB = kb /1024 | eval totalGB = round(totalMB /1024, 2) | timechart useother=f limit=0 span=1d sum(totalGB) as total by series |where total&gt;0|addtotals fieldname=TotaldailyUsageinGB </CODE></PRE> Mon, 23 Jan 2017 21:22:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250717#M74917 dbcase 2017-01-23T21:22:17Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250718#M74918 <P>Try this</P> <PRE><CODE>| index=_internal metrics kb group="per_index_thruput" NOT series=_* NOT series="*summary*" host=*appblx* | bin _time span=1d | chart limit=0 eval(round(sum(kb)/1024/1024,2)) by _time series | foreach * [eval "&lt;&lt;FIELD&gt;&gt;" = if (isnull('&lt;&lt;FIELD&gt;&gt;') OR '&lt;&lt;FIELD&gt;&gt;' = 0, null(), '&lt;&lt;FIELD&gt;&gt;')] | addtotals fieldname=TotaldailyUsageinGB </CODE></PRE> Mon, 23 Jan 2017 21:31:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250718#M74918 rjthibod 2017-01-23T21:31:43Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250719#M74919 <P>thx for the comment . <BR /> your query doesn't give result somehow but below query works.</P> <P>below query worked for me , added "where" condition.</P> <P>index=internal metrics kb group="per_index_thruput" NOT series=* NOT series="summary" host=appblx<BR /> | eval totalGB = round(kb/1024/1024,2) | where totalGB &gt; 0<BR /> | bucket span=1d _time <BR /> | chart sum(totalGB) as total by _time series limit=0 |addtotals fieldname=TotaldailyUsageinGB</P> Tue, 29 Sep 2020 12:31:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-results-which-are-0-in-my-timechart-search/m-p/250719#M74919 khilawar4 2020-09-29T12:31:38Z