topic Re: How do I filter my time chart results to only display devices that have a count of zero for any week within a certain time range? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281196#M84829 <P>That worked perfectly, thank you for the step by step explanation, it was very helpful.</P> Tue, 12 Apr 2016 13:48:23 GMT g038123 2016-04-12T13:48:23Z How do I filter my time chart results to only display devices that have a count of zero for any week within a certain time range? https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281194#M84827 <P>I'm fairly new to Splunk and have a search that basically returns a count of the number of times a device logs in to our system and uploads data each week. The time chart looks similar to this. </P> <PRE><CODE>_time Device A Device B Device C Device D 2015-10-04 1 1 1 0 2015-10-11 1 1 1 0 2015-10-18 1 1 1 2 2015-10-25 1 0 1 1 2015-11-01 1 0 2 1 2015-11-08 1 1 1 1 2015-11-15 1 1 3 1 </CODE></PRE> <P>The only devices I'm concerned about are those that have zero connections at some point: Devices B and D. How would I filter those that are working as intended, Devices A and C, from my results?<BR /> The total device list can be in the thousands depending on the geography I search in. I'm only interested in the ones that appear to be having issues, those with a zero count for a week or more, so I can focus on that population.</P> <P>Thank you in advance for any help.</P> Mon, 11 Apr 2016 18:51:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281194#M84827 g038123 2016-04-11T18:51:52Z Re: How do I filter my time chart results to only display devices that have a count of zero for any week within a certain time range? https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281195#M84828 <P>This should do:</P> <PRE><CODE> base search | timechart count by device | untable _time device count | eventstats min(count) as min by device | where min=0 | xyseries _time device count </CODE></PRE> <P>First, make your initial timechart and flip that into a stats-like table, then filter by "device has a value that's zero", then flip back into timechart-like table.</P> Mon, 11 Apr 2016 20:20:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281195#M84828 martin_mueller 2016-04-11T20:20:27Z Re: How do I filter my time chart results to only display devices that have a count of zero for any week within a certain time range? https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281196#M84829 <P>That worked perfectly, thank you for the step by step explanation, it was very helpful.</P> Tue, 12 Apr 2016 13:48:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-filter-my-time-chart-results-to-only-display-devices/m-p/281196#M84829 g038123 2016-04-12T13:48:23Z